Author Archives: privacynewshighlights

03-09 June 2016


CA – Federal Photo-Matching Scheme Quietly Singles Out Passport Fraudsters

Federal officials used photo-matching technology to identify 15 high-risk people – all wanted on immigration warrants – who used false identities to apply for travel documents. The Liberal government might make the facial-recognition scheme permanent to help find and arrest people ineligible to remain in Canada due to involvement with terrorism, organized crime or human rights violations. The photo-matching idea emerged from concerns that people wanted by the Canada Border Services Agency might use fake names to obtain genuine Canadian travel documents from the Immigration Department’s passport program, say internal memos released under the Access to Information Act. The privacy commissioner’s office has not been consulted on the project. However, both the border agency and the passport program have shared information about other facial-recognition initiatives with the commissioner. Passport officials have used the image-matching technology for years to see if someone has applied for multiple travel documents in different names. The border agency has quietly been working with other agencies since at least 2011 to gauge the ability of devices to extract usable facial images from video footage. [Source]


CA – Court Rules that Health Records Do Not Require Vetting Prior to Disclosure to Childrens Aid Society

The Court considers a request for a protection application for the production of records from non-parties. The records, containing mental health information of a parent, do not require vetting by counsel for the society or the parent (this approach could give either party an unfair advantage in litigation), or the Court (the mental health records are relevant to whether the parent’s children are in need of protection, and the production order will be structured to preserve the parent’s privacy interests). [Catholic Children’s Aid Society of Hamilton v. L.K. – 2016 CanLII 15148 (ONSC) – Superior Court of Justice of Ontario]

CA – BC Appeals Court Finds Senders of Texts and Emails Have a Reasonable Expectation of Privacy in the Content of the Message

a review of impact of the BC Court of Appeal’s decision in R. v. Craig. Senders have a reasonable expectation that their text messages will be confidential; senders do not abandon their right to privacy in the content of the message, to the extent that they should be able to count on the recipient’s duty of confidentiality. While there is inherent risk in any human interaction, the risk that a message might be improperly shared (i.e. breach of confidentiality) is not enough to vitiate a reasonable expectation of privacy. ‘[Privacy, technology, and instant messaging – The British Columbia Court of Appeal sends a (instant) message – Dara Jospé, Michael Shortt, and Antoine Guilmain – Fasken Martineau, Montréal]

CA – Other Canada News


US – Survey: A Year After the OPM Hack, Victims Don’t Feel Safer

A Federal News Radio survey on the Office of Personnel Management breach has found that roughly 55% of government employees and contractors don’t feel their personal information is safer a year after the hack. George Mason University’s Jim Jones said one reason for these responses is that many acknowledge that the risks move faster than security efforts. “The threat is so flexible and responsive in the sense that when we do something, we close one hole they simply move on to another one,” he said. Meanwhile, NPR also examines the changes in security practices at the OPM in a subsequent report. [Federal News Radio]


CA – OIPC ON Cautions Against Using Personal Email and Instant Messaging When Doing Public Business

Ontario’s Information and Privacy Commissioner, Brian Beamish, is calling on the leaders of all public institutions to educate staff and enact policies to strictly control the use of personal email and messaging tools, such as BlackBerry Messenger, to conduct business. All public servants should be aware that records relating to government business are subject to provincial access legislation, even if they are created, sent or received through instant messaging tools or personal email accounts. The use of these tools and accounts can create a number of challenges for institutions in meeting their obligations under Ontario’s access and privacy laws. To avoid these issues, Beamish is asking all Ontario institutions to either strictly control the use of personal email or instant messaging when doing business, and implement clear policies to help public servants meet their legal obligations. If it is necessary to use these tools, institutions must plan for compliance by conducting thorough risk assessments and implementing appropriate administrative and technical measures to ensure that records are saved. A new guide to assist Ontario’s public institutions, Instant Messaging and Personal Email Accounts: Meeting Your Access and Privacy Obligations, is now available. [Office of the Information and Privacy Commissioner of Ontario]

Electronic Records

CA – Alberta OIPC Issues Guidance for EHR Systems

The OIPC of Alberta has published Guidance for Electronic Health Record Systems. This guide was developed to assess the safeguards in electronic health record (EHR) systems. Custodians and their EHR service providers may use this document to support a Privacy Impact Assessment on an EHR system, or to examine whether changes to a system comply with Health Information Act requirements. Two versions of the document are available on our website. A PDF version and an editable Word document:

EU Developments

US – US and EU Officially Ink Umbrella Agreement

Officials from the EU and U.S. officially signed the so-called Umbrella Agreement, which sets privacy protections on European citizens’ personal data when transferred to the U.S. for law enforcement purposes. It will give EU citizens judicial redress in U.S. courts — something the EU already provides for U.S. citizens. U.S. Attorney General Loretta Lynch, Dutch Minister Ard van der Steur, and EU Justice Commissioner Věra Jourová signed the deal Thursday. Privacy advocates, however, have expressed concern about the deal. Access Now’s Estelle Massé said the new rules are “toothless” and that it “should absolutely be brought back to the drawing board.” [Ars Technica]

EU – British Lawmakers Pass New Digital Surveillance Law

The House of Commons passed the controversial Investigatory Powers Bill, which would provide security agencies with stronger monitoring abilities. The bill was approved 444-69. Interior Minister Theresa May said the new law will help “keep us safe in an uncertain world.” While May noted the scrutiny of the Investigatory Powers Bill was “unprecedented,” a new privacy clause has been added requiring agencies to contemplate less intrusive ways to surveil, while also offering special protections for lawmakers, journalists and lawyers. “It provides far greater transparency, overhauled safeguards and adds protections for privacy and introduces a new and world-leading oversight regime,” May said. The bill now moves to the upper house of Parliament, the House of Lords. [Reuters]

EU – European Commission Creates Code of Conduct for Mobile Health Apps

The European Commission has formally submitted a code of conduct to the Article 29 Working Party to increase privacy capabilities on mobile health apps. The code has been handed in for comments, and once approved, app developers can voluntarily commit to them. The European Commission code is based on EU data protection legislation, and aims to raise awareness for all parties, including small and medium enterprises as well as individual developers who may not have legal teams on hand, and “increase compliance at the EU level for app developers.” The code covers numerous issues, including user consent, purpose limitation, privacy by design and default, and data security. The European Commission also covered advertising within mHealth apps, disclosing data to third parties, children’s privacy, and data transfers. [Telecompaper] [Press Release] [Public Consultation]

EU – EDPS Announces New Accountability Initiative

European Data Protection Supervisor Giovanni Buttarelli announced a new accountability initiative to help EU bodies transition to the General Data Protection Regulation. The EDPS started working on a project to enhance accountability in data processing in 2015, when the agency examined itself as an institution. “We developed a specific tool to ensure and demonstrate our accountability as an organisation, to plan and to keep track of related actions. This document consists of a set of questions for the supervisors, the director, the staff responsible for managing processing operations and our data protection officer,” Buttarelli wrote in a blog post. “This year, we aim to visit — and have already started — small, medium, and large EU bodies to explain the new obligations,” he continued, adding, “As part of our efforts … we will recommend our accountability document during these visits and suggest that they tailor it to suit their specific needs.” [EDPS Blog Post]


WW – Facebook is Using Your Phone to Listen to Everything You Say: Professor

Facebook admits to using people’s microphones to listen to what they say, but they claim this is somehow a good thing. Kelli Burns, mass communication professor at the University of South Florida claims to have tested devices running the Facebook mobile app, and found that all of them are listening to everything you say, providing customized ads based on what you are saying. “I’m really interested in going on an African safari. I think it’d be wonderful to ride in one of those jeeps,” she said out loud with her phone in hand. According to the NBC report, less than a minute later, the first story in her Facebook feed was about a safari. And a car ad soon appeared on her page – go figure. Of course, this is not scientific evidence at this point, but Burns is not one to shun. Before becoming an academic, she spent seven years in corporate marketing and is a well-known figure in social media circles. Facebook didn’t deny the claims. Instead, it admitted that it picks up sounds from users, but said that it only does this to recommend they post things on Facebook. It’s not the first time Facebook has come under fire for something like this. Last years it was also accused of the same thing, and they said at the time that users had to turn their microphone on in order for this to work. But now, the microphone is on by default, so this does seem to confirm that Facebook is listening to you. []


CA – Ontario Health Ministry Ordered to Disclose Names on OHIP Billings

Ontario’s privacy watchdog has ordered the province to publish the names of the 100 doctors whose billings to the Ontario Health Insurance Plan are highest. An adjudicator, ruling on an access-to-information request from the Toronto Star, said the billings are “not personal information” and, even if they were, it would be in the public interest to reveal them. The Ontario Medical Association, which represents the province’s 28,000 physicians, opposed release of the data, saying it could be misconstrued. (Billings are not salaries but gross payments from which doctors must pay office overhead, benefits and pension.) The OMA has not yet decided if it will appeal the ruling. If it does not, the data will be made public on July 8. [Source] [IPC Decision] [54-page order] [Ontario Doctors’ Billings: Transparency is the Best Medicine] [End the secrecy over doctors’ billings: Editorial]

CA – OIPC NFLD Expects Redaction to be Used Sparingly

The Office of the Newfoundland and Labrador Information and Privacy Commissioner provided its expectations for Public Body Coordinators on handling non-responsive information in an access request, pursuant to the Access to Information and Protection of Privacy Act. Redact non-responsive information only where necessary and appropriate; best practices include, releasing the information if it is just as easy as claiming non-responsive (this will save time-consuming consultations and time weighing discretionary exceptions), avoid breaking the flow of information (do not claim non-responsive within sentences or paragraphs), and explain what non-responsive means in the final response to the Applicant, and that information has been redacted on this basis. [Newfoundland and Labrador OIPC – Practice Bulletin – Redacting Non-Responsive Information in a Responsive Document]

US – Snowden Questioned NSA’s ‘Interpretation of Legal Authorities’ Before Leak

Former government contractor Edward Snowden attempted to contact the NSA about its surveillance programs before exposing a trove of documents to the public. In response to a “long-running” Freedom-of-Information-Act lawsuit, the Office of the Director of National Intelligence released more than 800 pages of communications to Vice News revealing Snowden tried to ask questions about the “interpretation of legal authorities” related to the programs. The documents also reveal Snowden’s face-to-face interaction with an official, details about Snowden’s work with the agency, and efforts by the NSA, the White House and U.S. Senator Dianne Feinstein, D-Calif., to discredit Snowden. [Full Story]


US – Biden Unveils Launch of Major, Open-Access Database to Advance Cancer Research

Vice President Joe Biden will unveil a 12,000-patient, open-access cancer research database called the Genomic Data Commons today. The database will include “raw genomic and clinical data” as well as information regarding patients’ treatment types and their bodies’ response to it, the report states. “This is good news in the fight against cancer,” Biden said. “Increasing the pool of researchers who can access data and decreasing the time it takes for them to review and find new patterns in that data is critical to speeding up development of lifesaving treatments for patients.” The GDC will have privacy protections in place, with representatives from cancer centers drafting a model consent form, the report adds. [Washington Post] See also: [Canada: Genetic Discrimination And Canadian Law] and [How new DNA testing is cracking open long-stalled cold cases]

Health / Medical

US – OCR: Sharing Electronic Patient Data Crucial, Requires Cooperation

A slew of breakthroughs will put the pressure on health care leaders to start becoming more transparent with data. Deputy Director of Health Information Privacy in the Department of Health and Human Services’ Office for Civil Rights Deven McGraw highlighted this during the Office of the National Coordinator for Health Information Technology’s annual meeting in Washington, where she said cooperation will be key for successfully sharing patient data. “I can enforce people to comply with the law, but the culture change that makes a difference is not because the government is going to force it down people’s throat,” said McGraw. “It’s going to happen because people want it and demand it.” McGraw said providers should release electronic patient data at their request. “Whatever the patient wants to do with that information, it’s her right to have it and to have it in the form or format that she wants it,” McGraw said. [Healthcare IT News]

Horror Stories

WW – 32M Twitter Passwords Held at Ransom

A hacker with purported ties to the LinkedIn, Myspace, and Tumblr breaches is now claiming to have a database of 32 million Twitter login credentials at ransom. “The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” said a statement from breach-notification company LeakedSource, which analyzed the database and was able to verify accounts. The company added that the passwords taken were most likely in plain text with no hashing. “The lesson here? It’s not just companies that can be hacked, users need to be careful too,” the statement said. [ZDNet]

EU – Dutch DPA Receives More Than 1,500 Breach Notifications in First 4 Months

Review of the first 4 months of new breach notification requirements in the Netherlands shows that, in approximately two-thirds of breaches, the DPA had reason to more closely examine the circumstances of the breach or it opened formal investigations; subsequent action was taken against about 70 organisations. DPA’s classification of breaches found that 3 of the four categories related to inadvertent disclosures by the organisation (e.g. loss of unencrypted devices, insecure disposal, or insecure transfers); the remaining category related to malicious access to databases and ransomware. [130 days, 1,500 notifications: Does Dutch breach rule foreshadow GDPR? – Lokke Moerel and Alex van der Wolk, Morrison & Foerster LLP]

Identity Issues

WW – Search Queries Could Leave Medical Clues: Study

A Microsoft study published June 7 has found that by analyzing large sets of anonymized search engine queries, scientists may be able to detect those internet searchers with pancreatic cancer before an official diagnosis. “We asked ourselves, ‘If we heard the whispers of people online, would it provide strong evidence or a clue that something’s going on?’” researcher Dr. Eric Horvitz said. He acknowledged that using data in this way was uncharted territory for the health care industry. Regardless, “We’re hoping that this stimulates quite a bit of interesting conversation,” he said. [The New York Times]

WW – Inventor of the Web Creates Identity on Bitcoin Blockchain

Sir Timothy Berners-Lee, an english computer scientist and the inventor of the World Wide Web has created his first Bitcoin blockchain ID on June 9, through the popular blockstack-based platform Onename. Built on the decentralized, privacy-centric, and Bitcoin blockchain-secured database Blockstack, Onename is an open source platform which enables users to register their social media accounts and IDs through the Bitcoin blockchain network. The concept of embedding an account on the Bitcoin blockchain is fairly simple. Each Bitcoin transaction has a feature which allows users to store data apart from the core transaction information, creating space for anyone to embed small pieces of data in accordance with transaction data in a full transaction. Through the Blockstack nodes, Onename then verifies and authenticates various social media accounts, linking it to their network and enabling users to identify others through the account. “With the Blockstack software, a network of computers collectively maintain a global registry of identities, public keys and names. When you run a Blockstack node, you join this network, which is more secure by design than traditional identity, naming, and digital registry systems,” explains the Blockstack team. [Source]

Law Enforcement

CA – BC Police Act Violates Charter (sec.8), Suspended Vic Chief Says

Suspended Victoria Police Chief Frank Elsner is asking the courts to declare that sections of B.C.’s Police Act violate the Charter of Rights and Freedoms’ search and seizure provisions and are therefore not enforceable. Under the act, independent investigators with the Office of the Police Complaint Commissioner are not required to obtain warrants to search police premises, equipment and records when looking into allegations of misconduct at municipal departments. Those provisions violate Section 8 of the charter, because they relate to matters to which there is a high expectation of privacy, Elsner says. Section 8 protects against unreasonable search and seizure. [The Victoria Times Colonist]

Online Privacy

US – Android Users Seek Class-Action in Privacy Battle Over App Purchases

Android users are requesting to go forward with a class-action lawsuit against Google’s app store for allegedly disclosing personal information to developers. The lawsuit, started by Illinois resident Alice Svenson in 2013, is on behalf of numerous Android users who made purchases on the Google app store. “Casting aside the express promises made in their own terms of use, for years, defendants have routinely and systematically disclosed to third-parties, their buyers’ personal contact and billing information — including, names and email addresses — which they now admit was not necessary to complete the transactions or otherwise authorized for disclosure,” the users’ lawyers wrote in the motion. Svenson’s initial lawsuit was thrown out, but after revising her complaint by saying the disclosure lessened the value of her personal data, it was allowed to proceed. Last year, U.S. District Court Magistrate Paul Grewal in San Jose dismissed a separate lawsuit that also alleged Google violated app purchasers’ privacy by sending their names to developers. [MediaPost]

EU – Researchers Re-identify 40% of RTBF Subjects

One of the world’s most widespread efforts to protect people’s privacy online —RTBF— may not be as effective as many policymakers think, according to research by computer scientists based, in part, at New York University. The academic team said that in roughly a third of the cases examined, the researchers were able to discover the names of people who had asked for links to be removed. Those results, based on the researchers’ use of basic coding, came despite the individuals’ expressed efforts to remove their names from searches. The research paper raises questions about how successful Europe’s “right to be forgotten” can be if the identities can still be found with just a few clicks of a mouse. The paper says such breaches undermine “the spirit” of the right to be forgotten. The research also will add increased pressure on some European authorities, particularly the French privacy regulator, who would like Google and other online search engines like Microsoft’s Bing to extend the reach of the right to be forgotten across all of the companies’ global domains, including in the United States. “This poses a threat to whether the ‘right to be forgotten’ can be maintained in the long-term,” said Keith Ross, dean of engineering and computer science at NYU Shanghai, who led the project and who said he had contacted Google with his research. “If a hacker can easily find 30 or 40% of people’s names from delisted articles, what is the point?” he said. [New York Times]

Privacy (US)

US – Federal Appeals Court Says No Warrant Needed for Stingray Use

The Fourth US Circuit Court of Appeals has overturned a lower court verdict that ruled law enforcement must obtain warrants before using cell-site simulators to determine a suspect’s location. According to the ruling, obtaining the information does not violate a suspect’s Fourth Amendment rights because the information is already being shared with the suspect’s wireless carrier” “Whenever [an individual] expects his phone to work, he is permitting – indeed, requesting – the service provider to establish a connection between his phone and a nearby cell tower.” [ZDNet]

US – Yahoo Publishes National Security Letters

Yahoo has published three National Security letters it has received from the federal government. National Security Letters allow federal law enforcement officers to demand customer records and transaction information from communication companies without the need for a warrant. The letters also carried a gag order that until recently never expired – anyone or organization receiving an NSL was not permitted to disclose its contents or even its existence. The USA Freedom Act, which became law last year, changed those requirements. The FBI must now review gag orders once the investigation is closed or three years after it was opened, to determine if lifting the order will or will not be detrimental to the investigation. Yahoo’s disclosure is the first since the USA Freedom Act passed. [Wired] [eWeek] [Redacted letters] [Yahoo’s position]

US – NTIA Issues Best Practices for Operators of Commercial and Private Drones

The National Telecommunications and Information Administration released its best practices for use of drones by operators for private and commercial uses. Public comments were sought in 2015. Operators should making a reasonable effort to provide prior notice to individuals of the general timeframe and area in which they intend to operate a drone to collect data; provide a publicly available privacy policy that includes the purposes of collection, the types of data the drone will collect, the operator’s data retention and de-identification practices, the types of entities with which data will be shared, how to submit privacy/security complaints or concerns, and a description of response practices to law enforcement requests. [National Telecommunications and Information Administration – Voluntary Best Practices for UAS Privacy, Transparency, and Accountability]

US – Snowden Questioned NSA’s ‘Interpretation of Legal Authorities’ Before Leak

Former government contractor Edward Snowden attempted to contact the NSA about its surveillance programs before exposing a trove of documents to the public. In response to a “long-running” Freedom-of-Information-Act lawsuit, the Office of the Director of National Intelligence released more than 800 pages of communications revealing Snowden tried to ask questions about the “interpretation of legal authorities” related to the programs. The documents also reveal Snowden’s face-to-face interaction with an official, details about Snowden’s work with the agency, and efforts by the NSA, the White House and U.S. Senator Dianne Feinstein, D-Calif., to discredit Snowden. [Vice News] [Snowden and the NSA Gets Curiouser and Curiouser]

US – Court Certifies Class Action Alleging Social Networking Site Unlawfully Scanned Users’ Private Messages

A US Court has considered a motion for class certification of a complaint alleging Facebook violates users’ privacy by scanning their private messages. The Court accepted the Plaintiffs’ argument that injunctive relief is appropriate for the class as a whole because Facebook has utilized a uniform system architecture and source code to intercept and catalog its users’ private message content; the Court rejects the social networking site’s argument that individual proof will show that many class members impliedly consented to the challenged practices. [Matthew Campbell et al. v. Facebook, Inc. – 2016 U.S. Dist. LEXIS 66267 – United States District Court For The Northern District Of California]

US – Electronic Health Records Company Settles FTC Charges It Deceived Consumers About Privacy of Doctor Reviews

The FTC announced electronic health records company Practice Fusion has settled with the agency over claims it mislead customers by asking for reviews of its doctors without telling customers the reviews would be made public, resulting in the disclosure of sensitive medical data. “Practice Fusion’s actions led consumers to share incredibly sensitive health information without realizing it would be made public,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Companies that collect personal health information must be clear about how they will use it — especially before posting such information publicly on the internet.” In its settlement with the FTC, Practice Fusion is prohibited from making deceptive statements about the privacy and confidentiality of consumer information it collects, while requiring consumer opt-in before disclosing any information in the future. [Full Story]


US – Three Bills Approved To Boost Security for California’s IT systems

California lawmakers passed three bills designed to strengthen the security of the state’s information technology systems. One of the bills would mandate a statewide response plan for cybersecurity threats on critical infrastructure by July 1, 2017. “Ensuring that these preparations are made for cybersecurity will make our state networks more resilient, improve response coordination, reduce recovery time and costs and ultimately limit the damage that is done,” said bill author Jacqui Irwin, D-Thousand Oaks. Another bill requiring state agencies to create detailed data breach response plans was unanimously approved by the California Senate, along with legislation making it illegal to knowingly put ransomware on a computer’s system, network or data. [Techwire]

CA – New Conference Board Centre to Focus on Cyber Security Policy

A new Conference Board of Canada research Centre is working to tackle cyber security issues that affect all Canadian citizens, starting with the critical issue of personal data privacy in the digital world. The first research from the Centre aims to get decision-makers and Canadians up-to-speed on privacy regulations and capable of making smart decisions. The report, Private Matters: Regulating Privacy in Canada, the European Union and the United States, highlights key trends that firms should address in order to maintain proactive privacy compliance. They include:

  • Consent—The broad concepts of informed and implied consent are no longer sufficient. Regulators are increasingly demanding that consent be active, explicit, and easily understood.
  • Breach notification—Enhanced regulations require organizations to report privacy breaches in a timely, comprehensive way. Failure to do so can result in steep fines and costs to a firm’s reputation.
  • Territoriality—Privacy will have to balance the rights of national citizens against the borderless nature of e-commerce. The new EU-U.S. Privacy Shield will have an impact on this debate. If EU demands prevail, EU citizens’ right to privacy will travel with their data.
  • Individual rights after consent—As regulators and industry get closer to figuring out how to get consent right, they will need begin enumerating the rights of individuals who have consented to data collection. They will also need to determine the appropriate remedies when those rights are violated.
  • Answering public demands—As the pace and pervasiveness of technology continue to accelerate, regulators will have to strike a balance between protecting the public and insisting the public more meaningfully contributes to its own protection.

The Conference Board of Canada’s new Cyber Security Centre examines the evolving nature of cyber security at the strategic and policy level, in order to meet the needs of senior executives and board members across all sectors and industries. [Conference Board of Canada News Release]


CA – BlackBerry Hands Over User Data to Help Police ‘Kick Ass,’ Insider Says

A specialized unit inside mobile firm BlackBerry has for years enthusiastically helped intercept user data — including BBM messages — to help in hundreds of police investigations in dozens of countries, a CBC News investigation reveals. CBC News has gained a rare glimpse inside the struggling smartphone maker’s Public Safety Operations team, which at one point numbered 15 people, and has long kept its handling of warrants and police requests for taps on user information confidential. A number of insiders, none of whom were authorized to speak, say that behind the scenes the company has been actively assisting police in a wide range of high profile investigations. But unlike many other technology companies, which regularly publish transparency reports, it is not clear how many requests BlackBerry receives each year, nor the number of requests it has fulfilled. [Source] See also: [More Canadian telcos should detail police data requests: Privacy commissioner]

US – Google Wants Privacy Lawsuit Dismissed, Cites Spokeo Case

Citing the Supreme Court’s decision in the Spokeo case, Google is asking a U.S. district judge to dismiss claims it disregards privacy laws. Google filed court papers in response to allegations it violates federal and state privacy laws by scanning emails in order to serve ads. A lawsuit from San Francisco resident Dan Matera claims Google illegally “intercepts” email messages, which forced him to interact with Gmail users, even though he did not have a Gmail account. Thanks to the result of the Spokeo case, Google wants Matera’s case thrown out, saying he cannot show a concrete injury, the report states. “Plaintiff does not allege, for example, that the alleged violations led to the disclosure of his confidential information to third parties, or that he suffered any other purported harm from the alleged ‘interceptions’ of his emails,” Google wrote in the papers. [MediaPost]

UK – Spies Circumvented Surveillance Laws With No ‘Meaningful’ Oversight

Privacy International has released previously confidential government documents that shed light on how British spy agencies circumvented legal restraints on their surveillance powers, with little interference from the commissioner charged with overseeing them. The documents detail correspondence carried out in 2004 between lawyers for two UK spy agencies — the Government Communications Headquarters (GCHQ) and MI5 — and Sir Swinton Thomas, the Interception of Communications Commissioner at the time. Thomas was responsible for overseeing the two agencies, but Privacy International, a London-based watchdog organization, says his correspondence with the GCHQ and MI5 “exposes the lack of meaningful restraint of the agencies’ over-reaching and intrusive powers.” The release of the document comes ahead of a Parliamentary debate on the controversial Investigatory Powers (IP) Bill. Introduced last year, the bill aims to provide a legal framework for bulk data collection, while increasing transparency and strengthening oversight for British spy agencies. But privacy advocates, internet service providers, and major technology companies have expressed alarm over the law — referred to by critics as the “snooper’s charter” — arguing that it gives police and intelligence agencies broad surveillance powers under vaguely defined terms. Privacy International says that the correspondence released today demonstrates the flimsiness of existing oversight mechanisms. [The Verge] [UK: Official correspondence reveals lack of scrutiny of MI5’s data collection]



27 May – 02 June 2016


WW – Car’s Computer Can ‘Fingerprint’ You in 5 Min Based on How You Drive

The way you drive is surprisingly unique. And in an era when automobiles have become data-harvesting, multi-ton mobile computers, the data collected by your car—or one you rent or borrow—can probably identify you based on that driving style after as little as a few minutes behind the wheel. In a study they plan to present at the PETs Symposium in Germany this July, a group of researchers from the University of Washington and the University of California at San Diego found that they could “fingerprint” drivers based only on data they collected from internal computer network of the vehicle their test subjects were driving, what’s known as a car’s CAN bus. In fact, they found that the data collected from a car’s brake pedal alone could let them correctly distinguish the correct driver out of 15 individuals about nine times out of ten, after just 15 minutes of driving. With 90 minutes driving data or monitoring more car components, they could pick out the correct driver fully 100 percent of the time. “With very limited amounts of driving data we can enable very powerful and accurate inferences about the driver’s identity.” And the researchers argue that ability to pinpoint could have unexpected privacy implications: Everything from letting insurance companies punish drivers who loan their cars to their teenage kids, to confirming the identity of a driver who violated traffic laws or caused a collision. [Wired] [Is driving style the next biometric?]

US – Tattoo Recognition Research Threatens Free Speech and Privacy: EFF

An EFF Investigation Finds NIST/FBI Experimented with Religious Tattoos, Exploited Prisoners, and Handed Private Data to Third Parties Without Thorough Oversight …Now, with NIST and the FBI on the precipice of a new, larger experiment that will use upwards of 100,000 tattoo images, officials must suspend any further research into tattoo recognition technology until they address the First Amendment, ethical, and privacy concerns EFF has identified. [Source] See also: [Six Things You Need to Know Before Collecting Biometric Information]


CA – Company Scraps ‘Bad Tenant List’ After OPC Upholds Complaint

A property management company that maintained a “bad tenant” list for a landlord association has agreed to scrap it after the office of federal Privacy Commissioner Daniel Therrien concluded the personal information it contained was improperly collected. Therrien’s office investigated after receiving a complaint in February 2014 from a single parent with a disabled child. The unidentified woman had applied to the company for new rental accommodation that was fully accessible to her child, but was turned down. She was told by the company that her inclusion on the bad tenant list — for allegedly having skipped payments and for owing money for damages — was one of the reasons it was denying her housing services. The management company, which wasn’t named, told privacy commissioner investigators that members of the unidentified landlords association added the names of “bad tenants” to the list. The personal information on the list included the tenant’s name, the alleged incident for which the individual’s name was added to the list and the rental accommodation where the problem occurred. The company said the information was used to help landlords “avoid credit default” by potential tenants and determine “valid renters.” The complainant said she never consented to her personal information being collected for that purpose and wasn’t allowed to see the information about her or find out which landlord had added her name to the list. The property management company pointed to a clause in its rental agreement authorizing the landlord to obtain credit reports “or other information as may be deemed necessary.” But in a recently posted decision, the privacy commissioner’s office says it did not see how those words “would lead individuals to understand they were consenting to their personal information being collected, used and disclosed for the purposes of a ‘bad tenant’ list.” [Source]

CA – Office of the Privacy Commissioner Announces First Investigation Under Address Harvesting Provisions

The OPC announced its report of findings against Compu-Finder, a Quebec-based company that offers face-to-face professional training courses. The OPC alleges Compu-Finder used address harvesting programs to search and collect e-mails on the internet. This marks the first investigation by the OPC involving its address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). The OPC concluded that Compu-Finder did use e-mail addresses of individuals to send e-mails promoting its business activities, without the consent of the individuals concerned. Compu-Finder was unable to demonstrate it had the appropriate consent for the collection and use for many of the e-mail addresses. Further, the OPC found Compu-Finder lacked basic privacy knowledge of its obligations and failed in demonstrating accountability and openness of its privacy practices. This investigation also debuts the OPC’s compliance agreement power since the tool was added by the Digital Privacy Act on June 18, 2015. The compliance agreement between the Privacy Commissioner of Canada and Compu-Finder lists over ten remedial measures imposed on Compu-Finder. Some of the following measures that Compu-Finder has agreed to implement, include:

  • collect and use only e-mail addresses with proper consent;
  • destroy all e-mail addresses in its possessions which were collected without obtaining consent;
  • refrain from collecting any electronic addresses of individuals through the use of a harvesting computer program;
  • develop and implement a privacy program; and
  • obtain a third-party audit of its privacy program.

Compu-Finder is also under investigation by the CRTC, who issued a Notice of Violation against Compu-Finder pursuant to Canada’s Anti-Spam Legislation (CASL) on March 5, 2016. The OPC acknowledged the CRTC shared investigative information with the OPC pursuant to CASL and a Memorandum of Understanding between the two agencies. The CRTC’s proceedings against Compu-Finder are still on going. You can read the full report of findings and compliance agreement online here. [Source]

CA – Spy Agency Accidentally Shared Canadians’ Data With Allies for Years

A federal spy agency inadvertently shared logs of Canadians’ phone calls and Internet exchanges with intelligence allies such as the United States for years, a newly disclosed report says. The revelation that the CSE compromised Canadians’ privacy while sharing clandestinely captured data appears in a confidential watchdog’s report obtained from court filings related to a lawsuit against the Canadian government. The report said software that was supposed to remove identifying information on Canadians from material CSE captured during international surveillance operations had failed. This meant that Canada’s intelligence allies received data that Canadian laws say they should not see. The confidential report was written by Jean-Pierre Plouffe, a retired Quebec judge who heads the Office of the CSE Commissioner, the spy agency’s watchdog agency. In it, he suggests the unlawful seepage of Canadians’ phone and Internet records to foreign intelligence agencies could date back to the mid-2000s, and that the overall amount of compromised material is unclear. Given this, Mr. Plouffe is urging Parliament to pass laws spelling out how it wants the spy agency to function. “As CSE’s collection posture has strengthened, … the volume of metadata collected has increased considerably,” Mr. Plouffe writes in his 2015 report. He urged federal politicians to give clearer direction on surveillance. [The Globe and Mail]

CA – TREB Seeks ‘Opt-In’ Consent for MLS Data to Protect Consumer Privacy

Canada’s largest real estate board is urging the federal Competition Tribunal to protect consumer privacy by requiring homeowners to consent to sharing their housing information over the Internet. In filings posted on the tribunal’s website ahead of a hearing on Thursday in Ottawa, the Toronto Real Estate Board argues that electronic access to the board’s Multiple Listings Service should be made available to online real estate brokerages only after both buyers and sellers have checked an “opt-in” box on their sale and purchase agreement. TREB also asked the tribunal to make electronic home-sales data available for only six months after a house has sold, and said the data should not contain details of house sales that occurred before the tribunal issues its final order. It also argued that online brokers should not be able to use its MLS information for “data analytics” – such as building home-price heat maps or neighbourhood-level price trends – without the explicit consent of both buyers and sellers. The hearing comes a month after a three-member panel of the Competition Tribunal ruled that TREB was stifling competition in the Greater Toronto Area’s real estate industry by restricting how member realtors who run online brokerages access and share electronic data about homes that have sold. [The Globe and Mail]


CA – Majority of Canadians Feel Their PI is Vulnerable to Security Breach

A report released earlier this month has indicated that the majority of Canadians believe the personal data the government holds on them, is vulnerable to a security breach. The study, conducted by Ipsos on behalf of Accenture Cyber, indicated that Canadians feel distrustful of their data in the hands of municipal, provincial and federal governments. A total of 54% of Canadians believe that personal information held by the federal government is vulnerable to a security breach. 20% of those surveyed feel they are “very vulnerable” and 33% feel they are “somewhat vulnerable,” according to the results of the survey. Albertans feel most distrustful of their governments, as 62% of those in the province report feeling vulnerable, followed by those from British Columbia (58%), Ontario (55%), and Atlantic Canada (53%). Quebec, Saskatchewan and Manitoba tied for last place with 49 % feeling their data could be compromised. On average, the results also say that women feel more vulnerable than men, and older Canadians are more skeptical of the safety of their data than younger ones. [Source]


US – Uber Says New York Can’t Be Trusted With Its Data

Uber has gone to court to ensure confidentiality over records it provided for New York’s investigation of how the ride-sharing service secures data. New York began collecting the information two years ago after media reports surfaced about real-time tracking of rides — known internally as “God View” — that included personal information about riders. Uber provided the information at issue in response to an attorney general’s probe, so the company “thus enjoys categorical exemption from disclosure,” the petition states. Attorney General Eric Schneiderman’s office would only discourage similar cooperation from companies if it released the confidential information, the petition continues. [Source]

Electronic Records

US – Certified EHR Technology Now Widely Used at U.S. Hospitals

Nearly all of the country’s hospitals have adopted certified electronic health records, according to new survey data released May 31 by the Office of the National Coordinator for Health Information Technology. Results of the survey show the industry has a long way to go in sharing and then using from other healthcare organizations in treating patients—only a minority say they use patient information from outside their organization in treating patients. Based on the American Hospital Association IT Supplement to the AHA annual survey, the adoption rate of certified EHRs has increased from almost 72% in 2011 to 96% in 2015. Last year, 84% of hospitals adopted at least a basic EHR system, representing a nine-fold increase since 2008. ONC defines basic EHR adoption as a minimum use of core functionality determined to be essential to an EHR system, including clinician notes. The set of EHR functions must be implemented in at least one clinical unit to be considered basic EHR adoption. While small, rural, and critical access hospitals continue to have significantly lower basic EHR adoption rates compared with all hospitals, ONC notes that the new data show that adoption rates for these hospitals has increased significantly. Since 2014, small and rural hospitals increased their adoption of basic EHRs by at least 14 percentage points and CAHs increased their adoption of basic EHRs by 18 percentage points. Currently, about eight out of 10 small, rural, and CAHs have adopted a basic EHR. [Source]


US – Proposed Senate Bill Requiring Backdoors in Encryption Appears Dead

A proposed anti-encryption bill has stalled out in the US Senate. The draft legislation would have required that encryption be breakable so investigators could access communications. The bill lacked White House support, and the intelligence community were reportedly “ambivalent” because the law could have impeded their own encryption efforts. [Reuters] [The Register] [CNET] [ComputerWorld] [ZDNet]

EU Developments

EU – Privacy Shield Doesn’t Hold Up: EDPS

European Data Protection Supervisor Giovanni Buttarelli has published his opinion on the EU-U.S. Privacy Shield, which he says is “not robust enough to withstand future legal scrutiny.” While he expressed appreciation for the legislative effort behind the agreement, “significant improvements are needed should the European Commission wish to adopt an adequacy decision,” he wrote. Buttarelli isn’t the only recent Privacy Shield critic. “We keep thinking we’re going to reach a date and from that date onwards we won’t have any more issues. That won’t happen,” said Intel Global Privacy Officer David Hoffman. “The idea that we’re going to solve the international data transfer issue with Privacy Shield, to me, is an incorrect assumption.” [v3] [BBC: EU Data Protection Supervisor Rejects Privacy Shield Agreement]

Facts & Stats

US – Most 2016 Healthcare Data Breaches from Unauthorized Access

Last year is often referred to as the “Year of the Hack” for healthcare, with the majority of healthcare data breaches being caused by third-party cyber attacks. The top three incidents alone combined to potentially affect nearly 100 million individuals, and were all involved hacking. So far, 2016 is not immune from healthcare data breaches, but the leading cause of incidents is unauthorized access, according to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach reporting database. There have been 114 incidents reported to OCR between Jan. 1, 2016 and June 1, 2016. Of those, 47 were classified as being caused by unauthorized access or disclosure. The rest of the classification breakdown is as follows:

  • 34 – hacking/IT incident
  • 26 – theft
  • 5 – loss
  • 2 – improper disposal

However, the largest healthcare data breach so far this year was due to a hacking incident. [Source] Top 10 Healthcare Data Breaches of 2015

UK – Sloppy Human Error Still Prime Cause of Data Breaches: ICO

FOI data from ICO reveals usual failings: loss of paperwork, data sent to wrong recipients, insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data …Of the sectors compared over the three years, 66% reported an increase in data breach incidents, with the courts and justice sector recording a rise of 500% over the period. Healthcare organisations continue to top the list for total number of reported incidents at 184. Human error continues to be mainly to blame. For January – April 2016, human error accounted for almost two-thirds (62%) of the incidents reported to the ICO, outstripping other causes such as insecure webpages and hacking, which stands at just 9% combined. Despite this, market attention and resource continues to focus on external threats, notably cyber-attacks and hackers. [Source] See also: [Human error causes more data loss than malicious attacksHuman Error to Blame as UK Data Breaches Soar | Courts and justice sector see 500 per cent rise in data breaches]


CA – BC Supreme Court Orders Search Engine to Deny Access to Defamatory Statements

An individual seeks an injunction against a website that allegedly posted defamatory comments. An individual who filed a defamation lawsuit against two individuals and a website was granted a permanent injunction against those U.S. Defendants (who are prohibited from publishing such statements) in light of the possibility that they may resist enforcement of a monetary judgment of a Canadian court; a permanent injunction was also granted against a search engine, through which links can be obtained to the defamatory statements. [Nazerali v. Mitchell – 2016 BCSC 810 – In The Supreme Court of British Columbia]

CA – Officials Examining ‘Right-To-Be-Forgotten’ Potential in Canadian Law

As Google and the CNIL continue their battle over Europe’s “right-to-be-forgotten” law in France, Canadian officials are mulling whether the law has a place in their own legal system. A case involving Google and Datalink Technologies Gateways, Inc., has drawn parallels to the case in France, as the search engine is challenging an order in front of the Canadian Supreme Court to remove listings of Datalink, which is being accused of trademark violations across its worldwide search. To address their course on the RTBF, the Office of the Privacy Commissioner of Canada has received 23 formal submissions on the subject. “The law is broadly struggling to address these issues, and so we thought it was a legitimate question to ask,” said Patricia Kosseim, director general of the Legal Services, Policy, Research and Technology Analysis branch of the OPC. [The Globe and Mail]


CA – OPC Urges Committee to Rethink Information Commissioner’s Legal Jurisdiction

Privacy Commissioner of Canada Daniel Therrien suggested limiting the “proposed authority” for Information Commissioner Suzanne Legault in a brief to the Commons committee considering the Access to Information Act. Therrien argued that the current balance of power “illustrates the healthy tension between opposing interpretations” of what the law defines personal information to be. Said balance should be taken into consideration before revising job descriptions, he added. Instead, he suggested “the matter should only be discussed two years from now, when the government does a full-scale review of the access law,” the report states. [CTV News]

Health / Medical

CA – Saskatchewan Adopts Anti-Snooping Law for Health Records

The government is toughening up its laws around the protection of personal health information in Saskatchewan. The changes are in response to a member of the public finding thousands of medical records in a Regina dumpster in 2012, something the privacy commissioner at the time called the “worst breach of patient information” his office had ever seen. Despite that, there were no prosecutions. That incident sparked the government to create a working group made up of doctors, nurses, government officials and a patient representative to come up with stronger rules. The amendments to the Health Information Protection Act (HIPA) are effective June 1. They include a reverse onus clause for trustees of medical records to show they took reasonable steps to prevent their abandonment. [Source]

AU – Australian HealthCare Providers Must Protect Against Insider Risk

Recommendations for Australian healthcare providers to protect health information. Providers should adopt an approach that manages the risk of an external attack and aims to prevent internal data breaches from negligent or malicious staff; ensure employees have a high level of cybersecurity awareness (training and policies), encrypt all portable devices and allow for remote wiping, and revoke employee access to the network immediately after notice of termination is given. [Cybersecurity and the Risk of Inside Jobs – Marie Feltham, Special Counsel and Leonard Lozina, Lawyer – DibbsBarker]

CA – Ontario Health Ministry Ordered to Disclose Names on OHIP Billings

The province’s privacy commission has ordered the health ministry to release the names of doctors along with their OHIP billings, in the interests of transparency and accountability. The decision comes two years after the Toronto Star began requesting physician-identified billings from the health ministry, and brings the province more in line with other jurisdictions that are opting to disclose public funds paid to doctors. In granting an appeal the IPC said physician-identified billings are not “personal information” and are, therefore, not exempt from disclosure under the province’s Freedom of Information and Protection of Privacy Act. Even if they were deemed personal, a compelling public interest in their disclosure would outweigh the purpose of the act’s privacy exemption, the IPC wrote in a 54-page order released Wednesday and received by the Star Thursday. The IPC has ordered the health ministry to release the information to the Star by July 8. [Source]

Horror Stories

WW – Recently Confirmed Myspace Hack Could Be the Largest Yet

A report from says that there are over 360 million accounts involved. Each record contains an email address, a password, and in some cases, a second password. As some accounts have multiple passwords, that means there are over 427 million total passwords available for sale. Despite the fact that this data breach dates back several years, the size of the data set in question makes it notable. Security researchers at Sophos say that this could be the largest data breach of all time, easily topping the whopping 117 million LinkedIn emails and passwords that recently surfaced online from a 2012 hack. That estimation seems to hold up – while there are a number of other large-scale data breaches, even some of the biggest were not of this size. The U.S. voter database breach included 191 million records, Anthem’s was 80 million, eBay was 145 million, Target was 70 million, Experian 200 million, Heartland 130 million, and so on. [Source]

WW – LinkedIn Sends Out Breach Notification Emails

Users of LinkedIn likely received breach notification emails from the social network earlier this week. The emails come four years after a 2012 hack of the service in which millions of passwords and usernames were accessed. The incident was widely reported in 2012, but came back into the spotlight last week with news that 117 million email and password combinations — significantly more than the 6.5 million originally reported in 2012 — were for sale on the Dark Web. “While we do all we can, we always suggest that our members visit our safety center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible,” the email stated. [Fortune] See also: [Unencrypted Laptops Expose Over 400,000 Patients’ Medical Data]

WW – Hackers Stole 65 Million Passwords from Tumblr, New Analysis Reveals

On May 12, Tumblr revealed that it had just found out about a 2013 data breach affecting “a set” of users’ email addresses and passwords, but the company refused to reveal how many users were affected. As it turns out, that number is 65 million, according to an independent analysis of the data. Troy Hunt, a security researcher who maintains the data breach awareness portal Have I Been Pwned, recently obtained a copy of the stolen data set. Hunt said the data contained 65,469,298 unique emails and passwords. The passwords, however, were not in plaintext, but were “hashed,” a process that turns the actual password into a different string of digits. The company also added a series of random bytes at the end of the passwords before hashing them, or “salted” them, as Tumblr said when it disclosed the breach. The company, however, didn’t say exactly what algorithm it used to hash the passwords. Since Tumblr’s announcement, the hacked data appears to have been circulating within the internet underground. A hacker known as Peace, who also claims to have the data and was selling it on the darknet marketplace The Real Deal, said Tumblr used SHA1 to hash the passwords. Given that it also used salt, they are very hard for hackers to crack. [Source]

Identity Issues

US – Doctors Fire Back at Bad Yelp Reviews – and Reveal PHI Online

Burned by negative reviews, some health providers are casting their patients’ privacy aside and sharing intimate details online as they try to rebut criticism. In the course of these arguments — which have spilled out publicly on ratings sites like Yelp – doctors, dentists, chiropractors and massage therapists, among others, have divulged details of patients’ diagnoses, treatments and idiosyncrasies. [Source]

Internet / WWW

US – Tech in U.S. Schools Collects Student Data for Marketing Purposes: Report

The National Education Policy Center has issued its 18th annual report about commercialization of student information. Current regulatory frameworks do not effectively protect against application service providers using student’s personal information for marketing purposes; legislators should eliminate loopholes that provide companies with opportunities to collect and exploit children’s data, and pass enforceable legislation that holds schools, districts, and companies with access to student data accountable for violations of student privacy. [NEPC: Learning to be Watched: Surveillance Culture at School]

Law Enforcement

US – ACLU joins Microsoft’s Challenge to DoJ Gag Orders

The American Civil Liberties Union has filed a motion to join Microsoft’s challenge to the Justice Department’s use of gag orders that prevent companies from telling users when the government is demanding access to their data. “A basic promise of our Constitution is that the government must notify you at some point when it searches or seizes your private information,” said ACLU Senior Staff Attorney Alex Abdo. “Notice serves as a crucial check on executive power, and it has been a regular and constitutionally required feature of searches and seizures since the nation’s founding.” A Microsoft spokesman said the company “appreciates the support from the ACLU and many others in the business, legal and policy communities who are concerned about secrecy becoming the norm rather than the exception.” [USA Today]


US – Appeals Court Delivers Blow to Cellphone-Privacy Advocates

Courts across the country are grappling with a key question for the information age: When law enforcement asks a company for cellphone records to track location data in an investigation, is that a search under the Fourth Amendment? By a 12-3 vote, appellate court judges in Richmond, Virginia, on Monday ruled that it is not — and therefore does not require a warrant. The 4th Circuit Court of Appeals upheld what is known as the third-party doctrine: a legal theory suggesting that consumers who knowingly and willingly surrender information to third parties therefore have “no reasonable expectation of privacy” in that information — regardless of how much information there is, or how revealing it is. Research clearly shows that cell-site location data collected over time can reveal a tremendous amount of personal information — like where you live, where you work, when you travel, who you meet with, and who you sleep with. And it’s impossible to make a call without giving up your location to the cellphone company. [The Intercept]

WW – Collaborative Project Maps Areas Where Governments Spy on People

The Digital Freedom Alliance has launched a collaborative open source project to map places in the world where governments use malware to conduct surveillance on journalists, activists, lawyers, and NGOs. The project gathers information from a variety of sources and maps the locations, noting the dates, targets, and type of malware used. [Wired]

Online Privacy

WW – Facebook to Begin Sending Targeted Ads to Nonusers

In an attempt to grow its online ad network, Facebook will display ads to consumers who do not have accounts with the social media network. Facebook plans to reach nonmembers through cookies, “like” buttons, and plug-ins on third-party sites. While Facebook says its new method will better serve relevant ads to nonusers, European regulators have cited privacy concerns in their criticism of the practices. Facebook feels they are in a great position to target nonmembers through the large amounts of data it holds on current users. “Because we have a core audience of over a billion people [on Facebook] who we do understand, we have a greater opportunity than other companies using the same type of mechanism,” said VP of Facebook’s Ad and Business Platform Andrew Bosworth to the Journal. [The Verge] See also: [You Should Go Check Facebook’s New Privacy Settings]

WW – Googling Yourself Now Leads to Personal Privacy Controls

Soon, all you’ll need to do is Google yourself if you’re wondering how deeply Google has been digging into your digital life. In coming weeks, a shortcut to personal account information will appear at the top of Google’s search results whenever logged-in users enter their own names in the query box. The feature is part of an update to the “My Account” hub that Google introduced a year ago to make it easier for people to manage the privacy and security controls on the internet company’s services. While Google isn’t making any additional information available, it is making it easier to find. The link to personal accounts will appear at the top right of the listings for searches done on personal computers and at the top of requests entered on smartphones. Google is making the change because it learned that many users doing a “vanity search” under their name wanted a quicker way to find out what the company knew about them, as well as to see how they are depicted on various sites across the internet, said Guemmy Kim, a Google product manager. A new feature on Google’s mobile app will also quickly take users to their account information with a spoken request. All that will be required are the words: “OK Google, show me my Google account.” This option initially will only be available in English. [Source]

WW – IETF Publishes RFC for DNS Encryption

The Internet Engineering Task Force has released an RFC (request for comments) proposing that DNS requests be encrypted with Transport Layer Security (TLS). DNS requests and responses are often collected by law enforcement because they are classified as metadata. [The Register] [RFC]

Privacy (US)

US – Report: Employee Cybersecurity Knowledge Low, Despite Training Programs

A study from Experian and the Ponemon Institute reveals security training programs aren’t efficient enough at altering workers’ unsafe online behavior. “Managing Insider Risk through Training & Culture” is a survey of companies providing data protection courses to their employees. The study revealed 60% of respondents said their employees were either not knowledgeable or had no knowledge of cybersecurity, despite having training available. Only 35% said senior executives placed a high priority on employee data threat education, and 43% said their corporate training consisted of one course covering all departments. Low numbers were also reported on courses containing information on phishing and social engineering. “Phishing and social engineering attacks have been shown to result in data breaches. Training programs should show the consequences of these attacks and how to avoid falling prey to them.” [SC Magazine]

US – Obama Releases Final Privacy Framework for Precision Medicine Initiative

The White House announced the release of the final Data Security Policy Principles and Framework for its Precision Medicine Initiative. The framework is based on the administration’s cybersecurity framework and creates data security expectations and a risk-management approach for organizations taking part in the initiative. All federal PMI agencies will also integrate the framework across all PMI activities. President Barack Obama said, “We’re going to make sure that protecting patient privacy is built into our efforts from day one.” [White House]

US – Other Privacy News


US – New System Monitors Govt Employees for Potential “Insider Threats”

The Defense Department is creating a system designed to expose potential “insider threats” by monitoring national security personnel. The Pentagon is hiring a team of “cross-functional experts” who are trained in cybersecurity, privacy, law enforcement, intelligence, and psychology to help discover potential traitors. The DOD Component Insider Threat Records System will also examine employees’ social media posts, and their digital work habits, while also incorporating keystroke tracking, screen captures and email. Civil liberties advocates are voicing their opposition to the system, saying the constant surveillance will stop whistleblowers from coming forward. “When you read the insider threat material, what they view as a threat is somebody reporting information about government activity to the press, which is, in a democratic society, not only important but necessary,” said FBI veteran Michael German. [Nextgov]

US – DOD is Creating an Insider Threat Database

The US Defense Department (DOD) is creating a system that contains information about national security personnel and other people with security clearances to help identify potential insider threats. The DOD Component Insider Threat Records System was created in response to the Pfc. Chelsea Manning data leaks that occurred in 2010. [NextGov]

WW – CIOs Say Organized Cybercrime is Top Threat to Business Operations

According to the Harvey Nash/KPMG 2016 CIO Survey, one-third of the respondents said they had dealt with a significant IT emergency or a cyberattack over the past two years. CIOs say organized cybercrime is the biggest cyber-threat to their organizations. The report found that 46% of CDOs (chief digital officers) report to their organization’s CEO, while just 21% report to the CIO. And 65% of respondents said they believe that a shortage of technical talent will hinder their ability to keep pace with the changing digital landscape. The survey comprises data gathered from 3,352 CIOs and technology leaders in 82 countries. [Press Release] [] []

US – Medical Devices Could Be Used as Point of Entry into Healthcare Networks

The US Department of Veterans Affairs (VA) deputy director of health information security told Nextgov that attackers are more likely to break into Internet-connected medical devices to gain access to a hospital network than to disrupt a patient’s treatment. Medical records are a valuable commodity on the data black market. Medical devices are not as readily patched as computers and phones. Lynette Sherrill also said that her agency removes devices that are found to be infected with malware, even if it means cancelling appointments. [NextGov]

WW – ICSA Launches IoT Certification Testing Program

ICSA Labs has launched its IoT (Internet of Things) Certification Testing program. The devices that pass muster will receive the ICSA seal of approval. The ICSA program will test both consumer products and enterprise products over six components: alerts and logging; cryptography; authentication; communications; physical security, and platform security. Earlier this year, Underwriters Laboratories launched its Cybersecurity Assurance Program (UL CAP). [DarkReading] [ComputerWorld]

WW – Microsoft Ends Common Password Use and Password Lockout

Microsoft has announced plans to dynamically prohibit common passwords, like the word “password,” while congruently using the smart password lockout system. The lockout program would keep hackers from continually attempting to access users’ accounts while not freezing out legitimate users at the same time, the report states. The changes respond to the recent hacker dump of LinkedIn data, the report adds. Reddit also took action in light of the breach, announcing it would reset user passwords, SC Magazine reports. Meanwhile, a hacker is selling more than 65 million Tumblr passwords on the Dark Web, while 427 million MySpace passwords were found for sale online for $2800. [SC Magazine]

WW – Unbox Your Laptop, and Say Hello to Security Risks

Powering up a new laptop can be exhilarating. It can also be full of security risks. Software update tools that are preinstalled on Acer, Asus, Dell, HP and Lenovo laptops all contained at least one critical security vulnerability that hackers could easily exploit, said Duo Labs, the research arm of Duo Security, in the results of an investigation published Tuesday. In total, Duo Labs uncovered 12 different OEM software vulnerabilities across all the computer makers. OEM (original equipment manufacturer) software includes programs like product registration and 30-day free trials that come installed on a laptop right out of the box. They’re often referred to as bloatware since they’re largely unnecessary and weren’t installed at the user’s request. Not only is bloatware superfluous, it’s often a weak link in the security chain, according to Duo Labs. “The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant — meaning, trivial,” wrote Darren Kemp, a security researcher with Duo Labs, in a blog post Tuesday. [Source]


WW – Governments Turn to Commercial Spyware to Intimidate Dissidents

A growing number of U.S. companies are teaching foreign law enforcement agencies to code unique surveillance devices, often to track dissidents. The tools can override encryption measures, the report states. “There’s no substantial regulation,” said Bill Marczak of the University of Toronto’s Munk School of Global Affairs. “Any government who wants spyware can buy it outright or hire someone to develop it for you. And when we see the poorest countries deploying spyware, it’s clear money is no longer a barrier.” [New York Times]

CA – Interim RCMP Policy Sets Body Cam Guidelines

A new RCMP policy will require Mounties wearing small video cameras to hit record when they believe force will be used against a suspect. The interim policy is being considered with two purposes in mind: To gather evidence for prosecution against criminal behavior, and to answer any questions surrounding the aftermath of an incident. “Police are making use of a relatively new technology to hold both police officers, and members of the public we interact with, accountable for any actions taken,” the RCMP says. Other privacy concerns addressed in the interim policy include telling an individual when officers are wearing cameras, teaching RCMP members of best video policies and practices, and making sure recordings are uploaded securely. [The Canadian Press] See also: [As More Police Wear Body-Cams, States Set New Rules Limiting Access to Footage] [Minnesota’s police body camera law is bringing privacy concerns.]

WW – Sports World Embraces Data Analytics

The Seattle Mariners’ use of sleep tracking tool Readiband last year is a window into the professional athletics’ community’s adoption of data-collecting tools. This use of data analytics is changing how coaches and players interact, Chicago Cubs Baseball Operations Assistant John Baker argues. “Welcome to the next frontier in baseball’s analytic revolution,” the report states. “Many of this revolution’s tenets will be familiar to anyone who works for a living — the ever-growing digitization and quantification of things never-before measured and tracked, for instance, or the ever-expanding workplace, the blurring distinction between the professional and the personal, and the cult of self-improvement for self-improvement’s sake.” [Vice Sports]

AU – ACT Govt Launches Review Into Civil Surveillance

The ACT government has announced a review of the use and conduct of civil surveillance in the territory that could lead to Australia’s first law to allow victims to sue over privacy intrusions. According to the statement, the review’s terms of reference be looking at a range of issues including:

  • Surveillance in civil litigation claims
  • Surveillance businesses
  • Surveillance technology and practices, such as geo-tagging
  • Expansion of the existing Listening Devices Act 1992 to capture video surveillance and electronic monitoring
  • Possible need for a tort of breach of privacy
  • Current regulation of civil surveillance and the Information Privacy Act 2014.

An independent reviewer will be engaged by the Justice and Community Safety Directorate in order to undertake the review. [Source]

Telecom / TV

WW – Charging Mobile Devices Could Put Data at Risk

Smartphones can be compromised when charged using a standard USB connection connected to a computer, Kaspersky Lab experts have discovered in a proof-of-concept experiment. The researchers are now evaluating what the impact of such an incident might be. To learn more, read the blog post available at [Kaspersky Corporate News]

US Legislation

US – Legislative Roundup



19-26 May 2016


WW – Google’s Biometric Tool Aims to Kill Password Logins

A new Google feature could spell the end for password logins. Trust API will be tested at “several very large financial institutions” in June, said Google’s Daniel Kaufman. Google’s new service looks to use multiple indicators to create one viable identifier. Trust API will use biometrics in its mission to eliminate passwords, including shaping a user’s face and voice patterns, to how a user moves and types and how they swipe on the screen. “Biometric authentication is a powerful enabler, allowing businesses smart enough to deploy it to significantly increase rates of registration, gaining data and insight about their customers, while also increasing customer security,” said Richard Lack from customer identity management firm Gigya. “This is a win-win scenario which sounds the death-knell for awkward and insecure passwords sooner than we may imagine.” [The Guardian] [Can Google replace passwords by tracking you more thoroughly?]

WW – ‘Faception’ Tech Can Determine Terrorists from Just a Face Scan

Israeli startup and facial recognition company Faception says a homeland security agency has hired it to help discover terrorists. The company says its technology is so precise it can identify “great poker players to extroverts, pedophiles, geniuses and white collar-criminals,” just from a face scan. The tech is not without critics. “Can I predict that you’re an ax murderer by looking at your face and therefore should I arrest you?” said the University of Washington’s Pedro Domingos. “You can see how this would be controversial.” Meanwhile, advertising company Mattersight Corporation will start using publicly available facial data from avenues like YouTube and Vine to gather personality profiles. [Washington Post] [ComputerWorld]

Big Data

US – Big Data: White House Issues Report on Primary Challenges and Opportunities

The Executive Office of the President has issued a report on Big Data that examines:

  • instances where big data methods and systems are being used in the public and private sectors in order to illustrate the potential for positive and negative outcomes; and
  • the extent to which “equal opportunity by design” safeguards may help address harms.

The primary challenges of Big Data are inputs to an algorithm (e.g. poorly selected data, incomplete/incorrect or outdated data, selection bias, and unintentional perpetuation/promotion of historical biases), and the design of algorithmic systems and machine learning (e.g. poorly designed matching systems, personalization and recommendation services that narrow user options, decision-making systems that assume correlation implies causation, and data sets that lack information or disproportionately represent certain populations). [Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights – Executive Office of the President: Press Release | Report]


CA – New Recommendations for British Columbia’s FIPPA

Timothy Banks writes about the report tabled this month by the special committee appointed to review the B.C. Freedom of Information and Protection of Privacy Act. The committee made 39 recommendations to the legislature, several of which, if accepted, “would provide needed updates to improve public sector transparency. Regrettably, however, the committee has recommended that the legislature retain the controversial data sovereignty provisions of FIPPA that preclude transfers of personal information outside of Canada.” In this post, Banks examines four interesting recommendations made by the committee dealing with mandatory breach reporting, duty to document, data destruction, and data sovereignty. [Full Story] See also: Timothy Banks offers an analysis of Ontario’s new Health Information Protection Act and the ways it has amended the Ontario Personal Health Information Protection Act, 2004]

CA – Alberta Premier Rebuts Privacy Concerns Over Carbon Tax Law

Premier Rachel Notley is dismissing opposition accusations that her NDP government’s carbon tax bill contains invasive and arbitrary rules on search and seizure. …Under Bill 20, officials who believe there are breaches of the levy can get a search warrant to go on properties, check fuel tanks, vehicles, buildings and computer hard drives. If they feel that someone is at immediate risk of harm or evidence might be destroyed they can proceed without a search warrant, but a search warrant or the owner’s permission is needed to get into someone’s home. [The Canadian Press]

CA – NS Government to Consider Mental Health Care Improvements

Premier Stephen McNeil and other Nova Scotian liberal politicians will investigate whether the province’s privacy laws are preventing youths with mental illnesses from receiving proper care. During a recent news conference on the matter, Carolyn Fox described how health care privacy laws prevented doctors from alerting her about her daughter’s three hospital visits, knowledge of which she felt could have prevented her daughter’s January suicide. “Because of the privacy law I was not contacted,” Fox said. There were “no red flags as to say this girl has been here three times, released, and told she was fine. This is not acceptable.” McNeil agreed. He acknowledged, however, that there was “a whole host of issues” accompanying revisiting notification protocol, “not the least of which is the breaching of someone’s privacy,” he said. [CBC News]

CA – Newfoundland Supreme Court Finds General Warrant Can Be Used to Retrieve Historical Text Messages

The Supreme Court of Newfoundland and Labrador considers whether authorisation under the Criminal Code is necessary prior to search of a cellphone’s historical data. An individual argued that police unlawfully searched his mobile phone because a general warrant was obtained for the search (which does not authorize interception of private communications); although his text messages qualify as a private communication, retrieval of prior stored messages does not qualify as an interception (messages would not be retrieved in the course of the communication process). [Her Majesty the Queen v. Rex Rideout – Supreme Court of Newfoundland and Labrador – 2016 CanLII 24896]

CA – Courts & Privacy Issues Around Production of Text Messages

There can be no doubt that text messages are normally producible under any rules of civil procedure, if they are relevant to the issues set out in the pleadings of an action and are only between the parties in the litigation. But in any number of types of civil proceedings there are surely many other relevant texts in which either the sender or receiver are not a party to the litigation, or are texts that have been intercepted by someone not a sender, or receiver, of that text. Whether production of those texts is subject to some scrutiny regarding privacy rights is an open question. While production of some of these types of texts might be sanctioned by way of a motion for third-party production, the more immediate question for a plaintiff, or defendant, in a civil proceeding is whether or not to initially produce such a text without breaching an expectation of privacy and privacy rights of a non-party. [The Lawyers Weekly Canada]


UK – Two-Thirds of Brits think Snooper’s Charter Extracts Are from Dystopian Fiction: Research

Research from popular VPN service, HideMyAss, has revealed that when presented with extracts from the [Investigatory Power Bill, also known as the Snooper’s Charter], two-thirds of Brits thought it was from dystopian fiction …On average, one in five of those (20%) suspected the quotes derived from George Orwell’s 1984, one in ten (10%) thought they were from Enemy of the State, and 7% believed the quotes were from The Hunger Games. What’s more, 8% of those polled even believed the quotes were from North Korean propaganda. [Source]

NO – Consumer Council Hosting Live-Streamed Reading of Privacy Policies

The Norwegian Consumer Council will livestream a reading of the terms of service and privacy policies from apps on an average mobile phone. The NCC predicts the event, featuring 33 apps in total, will take more than 24 hours, “as the combined texts are longer than the New Testament,” the report states. “The current state of terms and conditions for digital services is bordering on the absurd,” said Norwegian Consumer Council Digital Policy Director Finn Myrstad. “Their scope, length and complexity mean it is virtually impossible to make good and informed decisions.” The agency hopes the event will highlight the inapproachability of long policies, the report states. [Fortune]


US – Tech Companies Urge Senate to Pass Email Privacy Act Without Changes

As the Senate Judiciary Committee plans to examine, and possibly change, the Email Privacy Act, a group of 70 major tech companies are asking senators to approve the bill without any alterations. The organizations sent a letter to the Senate urging it to ratify the “carefully negotiated compromise” immediately, without any amendments added to “weaken” the bill. Signatories of the letter include Adobe, Amazon, Apple, Facebook, Google, IBM, Microsoft, and Yahoo. Despite questions about what version of the Email Privacy Act will be examined by the panel, the Senate Judiciary Committee will vote on the exact same text as the one unanimously passed by the House of Representatives. [The Hill] See also: [Email Privacy Act could face changes]


EU – Cybersecurity and Police Chiefs Reach Breakthrough Agreement on Encryption

Leaders from the EU Agency for Network and Information Security (ENISA) and Europol have reached an agreement about the legal lengths to which law enforcement groups may go to access personal information. The move is what the report calls a “surprise turn” in discussions between cybersecurity group ENISA’s Udo Helmbrecht and Europol Director Rob Wainwright. Both spoke in favor of strong encryption and stated their dual opposition to back-door encryption. “While this would give investigators lawful access in the event of serious crimes or terrorist threats, it would also increase the attack surface for malicious abuse, which, consequently, would have much wider implications for society,” they said in a statement. [EurActiv]

EU Developments

EU – Parliament Finds Privacy Shield Does Not Provide Substantial Improvements to Safe Harbour

The European Parliament issued its opinion on the EU-US Privacy Shield. The Shield does not provide an equivalent set of principles (there are no requirements for consent or data minimisation, processing for incompatible purposes is allowed, and blanket permission is given for all types of processing), allows for bulk collection of EU citizens’ personal data and communications (in breach of CJEU and ECHR judgments), and supervisory powers of the Department of Commerce, FTC and the Ombudsperson are not comparable to EU supervisory authorities. [EU Parliament – Motion for a Resolution on Transatlantic Data Flows]

EU – Privacy Seal Schemes Gradually Taking Shape in Europe

The EU is moving ever closer to having a widely recognized privacy seal scheme — or rather, several of them — for Web services. EuroPriSe is a company that spun out of the data protection authority of Germany’s Schleswig-Holstein state a few years back, with funding from the European Commission. It’s pushing to expand its scope across the EU and beyond, and last month it started offering website operators a privacy seal indicating to the world that they stick to EU data protection law. And it’s not the only player in the game. “Europe’s privacy kitemark scene may be fragmented and in its early stages, but at least the many players are talking to one another. [Full Story] See also: [Op-ed: UL certification program for IoT devices a ‘step in the right direction’ ]


US – Campaign Hopes to Inspire Congress to Better Protect Financial Data

A group of seven trade organizations have banded together to create a Stop the Data Breaches campaign. The group wants to publicize the costs of breaches for financial institutions in an effort to garner attention and legislative support from Congress, the report states. “Credit unions and other financial institutions are continuing to pay the tab for retailer data breaches, and consumers’ data remains vulnerable,” said the National Association of Federal Credit Unions’ Brad Thaler. “It’s long overdue for Congress to pass legislation ensuring that everyone has a similar mandate to keep customer data safe,” added Financial Services Roundtable’s Jason Kratovil. [Associations Now]


CA – Rogers Releases New Transparency Report

In its third annual transparency report, Rogers Communications revealed that, of the more than 86,000 requests, it refused to hand over consumer data to law enforcement 3% of the time. This is the first time one of the “Big Three” telecoms has disclosed how many times it has refused government requests for data. “It’s so that people understand that we do not just accept requests at face value,” said Rogers Chief Privacy Officer Dave Watt. “We really feel strongly about protecting customer information.” Open Media’s Laura Tribe said the report could improve, but said Rogers’ more detailed report is a “positive example,” adding, “This type of reporting is essential if we are to shed light on the government’s attempts to obtain our private information.” [Financial Post]

CA – Alberta OIPC Finds FOIP and HIA Do Not Apply When Information is Collected in an Employee’s Personal Capacity

The Office of the Alberta Information and Privacy Commissioner reviewed a decision made by a health organization to deny access to personal information. The letters collected by the employee were written specifically for her, discussed incidents that took place in the health clinic, and had a very personal tone; the applicant purposefully provided the letters in the parking lot of the clinic so he would not be handing over information as a patient to a health facility and specifically requested that the employee destroy them immediately after reading them. [OIPC Alberta – Order H2016-05/F2016-13 – Alberta Health Services]

CA – Federal Interim Directive Commits to More Open and Transparent Government

The federal government issued a request for feedback on its proposals to improve the Access to Information Act. Effective May 5, 2016, all non-application fees are waived, and requesters must generally receive information in a computer-readable format; a full review of the Act, scheduled for 2018, would incorporate these changes, ensure the Act applies to the office of Ministers and the Prime Minister, and permit the refusal of frivolous/vexatious requests. [Government Proposals to Revitalize Access to Information – Government of Canada Consultation | Interim Directive | Additional Information ]


US – Myriad Genetics Hit with ACLU Complaint to HHS

A complaint has been filed against genetic testing company Myriad Genetics, Inc. for not adhering to the requests of four patients wishing to view personal genetic information. The ACLU filed the complaint to the U.S. Department of Health and Human Services’ Office for Civil Rights, saying Myriad’s refusal to provide the information was a HIPAA violation. Despite Myriad providing the information to the patients at a later date, the ACLU will still go forward with the complaint. Myriad spokesman Ron Rogers said delivering the information was not done to prevent an ACLU complaint, and the company promises to honor future requests. “As far as we’re concerned, the matter is resolved,” Rogers said. “We think the ACLU’s claim is without merit.” [Reuters]

US – Final Rule Prohibits Employer Wellness Programs from Collecting Employee and Spousal Health Data Unless Prescribed Standards Are Met

The Equal Employment Opportunity Commission has issued final rules amending the Regulations Under the Americans With Disabilities Act (“Part 1630”), and the Genetic Information Nondiscrimination Act (“Part 1635”) – the rules are:

  • effective July 18, 2016; and
  • applicable beginning January 1, 2017.

Employers are subject to incentive limits in regards to encouraging employee participation in wellness programs (which include medical exams); no incentives are permitted in exchange for the current/past health status information of employees’ children or for specified genetic information of an employee, and an employee’s spouse and/or children.[Equal Employment Opportunity Commission – Final Rules 29 CFR Parts 1630 and 1635 – Employer Wellness Programs – Regulations Under the Americans Disabilities Act; Genetic Information Nondiscrimination Act | Press Release ] Federal Register (Regulations Under the Americans Disabilities Act; Genetic Information Nondiscrimination Act)

Health / Medical

WW – Google Health App Halted as Enforcement Agencies Examine Data Use

Streams, the health data app borne of a controversial alliance between Google’s DeepMind and the NHS Royal Free Trust, is not currently active. The app served to discover hospital patients in danger from acute kidney disease, but critics took umbrage with the amount of data the app used to deliver so specific a diagnosis, the report states. As a result, the Medicines & Healthcare Products Regulatory Agency is “in discussions” with the organizations to determine whether the app needs to be registered as a medical device, the report states. This announcement comes on the heels of the decision by the U.K. Information Commissioner’s Office to investigate a “small number of complaints” about Streams’ data use. [TechCrunch]

Horror Stories

WW – Database of 2M Mexicans’ Voter Data Found Online

A data breach researcher discovered a database of the personal information of more than 2 million Mexicans posted online. MacKeeper’s Chris Vickery, who discovered the breach, is the same researcher who recently found a similar database of 93.4 million Mexican voting records leaked online. This time, he found the new database by conducting a “random search,” the report states. After an investigation, Mexico’s voting authority confirmed the information was voting data from Sinaloa, and the data has since been taken down. “I think the sudden appearance of multiple [voter registry] databases is a symptom of giving out too many copies,” said Vickery. “I think the [voting authority] is making good changes in the future by not allowing so much information to be so widespread.” [Fortune]

Identity Issues

WW – Hartzog: ‘Public’ Data Sets Are Not Fair Game

In the wake of research that published a data set on 70,000 users of OKCupid, professor Woodrow Hartzog argues that traditional notions of “public” data are now misguided and outdated. Justifying the release of data because it’s considered public “is fundamentally wrong,” he writes. “Not just because we should be able to expect a certain amount of privacy in public, but because, despite frequency of use and seeming self-evidence, we actually don’t even know what the term public even means.” He warns that the public data argument is “gaining steam” in policy discussions, but adds, “The ‘public information’ justification is a simple way to avoid answering hard questions about the privacy interests in data.” [Slate] See also: [Published personal data on 70,000 OkCupid users taken down after DMCA order]

EU – EU Advocate General Opinion States IP Addresses Are Personal Data

Manuel Campus Sanchez-Bordona, the EU advocate general, has determined that dynamic IP addresses qualify as personal data, according to a blog post from Covington. Sanchez-Bordona’s opinion is in relation to Patrick Breyer v. Germany, a case currently pending in the EU Court of Justice. The advocate general’s opinion details how even if a website operator cannot determine the user behind an IP address, Internet service providers have data that, when connected with an IP address, can identify the individual. The opinion also covered how the collection and use of IP address data, when used to ensure a website is functioning, could be acceptable on the basis of the “balancing of legitimate interests” test in the GDPR. While the court doesn’t have to follow the advocate general’s opinion, it could have broad implications for the EU if followed by the Court of Justice. [Full Story] [Review of Opinion]

Law Enforcement

CA – RCMP Under Fire for ‘Misrepresenting’ Stingray Use

Recently disclosed court documents indicate that the Royal Canadian Mounted Police used Stingray devices during two 2014 criminal investigations, but the defendants’ lawyers in the cases argue that the RCMP allegedly “misrepresented” how they would use the tools. The undisclosed details include the Stingrays’ range, phone location pinpointing abilities, and their “potential for interference with 911 calls,” the lawyers argue. However, RCMP lawyers countered that nondisclosure agreements keep the law enforcement agency from elaborating on the Stingrays’ capabilities, among other details. A hearing on the matter was postponed from May 17 to a later date, at which time the defense will seek more information on the RCMP’s precise use of the tools, the report states. [Vice News]

US – Commentary: FBI, Locals Team Up to Invade Citizens’ Privacy

StingRay deployments have been confirmed in at least 24 states and the District of Columbia, and there is every reason to believe many of the remaining states possess them and simply haven’t been forced to disclose it. Different departments have different deployment policies, but cities such as Baltimore have admitted to deploying the devices in thousands of investigations. Given such widespread use, and such obvious and troubling privacy implications, one would expect to find a large body of court rulings on the constitutionality of warrantless StingRay surveillance. One would be mistaken. [Source]

US – New System Would Give Law Enforcement Access to Public Cameras

Computer scientists at Purdue University have developed tools allowing law enforcement to access cameras that aren’t password protected to help determine the best way to respond to a crime. While in proof of concept form, the Visual Analytics Law Enforcement Toolkit overlays the rate and location of crimes to the location of police surveillance cameras, while CAM2 reveals the locations and positions of public network cameras. Registered users only have limited access. The terms of service state, “you agree not to use the platform to determine the identity of any specific individuals contained in any video or video stream,” but those safeguards aren’t enough to quell privacy advocates’ concerns. “I can certainly see the utility for first responders,” says EFF investigative researcher Dave Maass. “But it does open up the potential for some unseemly surveillance.” [Wired]

CA – Mounties Wearing Video Cameras Told to Record Use of Force

Mounties wearing tiny video cameras must hit the record button when there is “a high likelihood” they’ll use force against someone, says an interim RCMP policy on use of the devices. …RCMP detachments in Wood Buffalo, Alta., and Windsor and Indian Head, N.S., took part in the 2015 tests. In addition, the Mounties have advised the federal privacy commissioner of ad-hoc evaluations of the technology. “For example, they have used the cameras at protests in New Brunswick and in Burnaby, B.C.,” said Tobi Cohen, a spokeswoman for the privacy commissioner. [Source]

Online Privacy

WW – Default Settings Criticized in New Google Messaging App

Last week, Google unveiled a number of new products, one being a new messaging app called Allo. The app features strong, end-to-end encryption, but it’s not the default setting. Users have to turn it on, and that has some privacy advocates up in arms. Edward Snowden tweeted that not having it on by default “is dangerous, and makes it unsafe.” New America’s Open Technology Institute Director Kevin Bankston, however, said, “I, too, would prefer that Allo be encrypted by default,” but added, “all in all, this is going to be a net increase in the amount of encrypted messaging out in the world. And that is ultimately a good thing.” [The Washington Post] [Allo Chat Privacy Concerns Are Way Overblown] See also: [This Fitness App Tracks You Too Much, Consumer Advocates Claim [ Runkeeper in Hot Water] and [Grindr users can have location tracked, even with adjusted settings]

Other Jurisdictions

WW – Global Guide to Data Breach Notifications 2016

A new guide from World Law Group provides information organizations need to know when facing a data breach in one or more countries. Produced by the WLG’s Privacy & Data Protection Group, it provides summaries of relevant law, data breach reporting requirements, contact information for relevant data protection authorities and more for 60 countries. [Read Now] [Full Story]

AU – Victoria to Create Info Commissioner Role to Oversee Privacy and FOI

The new body will be created as part of an overhaul of the state’s FOI regime, which will also include introducing the ability to review ministerial and departmental FOI decisions including under Cabinet exemptions; reducing the time to respond to an FOI request from 45 days to 30 days; and reducing the time that agencies have to seek a review by the Victorian Civil and Administrative Tribunal from 60 days to 14 days. [Source]

Privacy (US)

 FTC to Host Disclosure Workshop

The Federal Trade Commission will host “Putting Disclosures to the Test“ on Sept. 15 a free, public workshop that will evaluate companies’ claims and privacy practice disclosures, according to a press release. The event will “explore how to test the effectiveness of these disclosures to ensure consumers notice them, understand them, and can use them in their decision-making,” the report states. Interested parties may submit proposals for the event to [FTC Press Release]

US – Educator’s Guide Takes the Mystery Out of Student Data Privacy

Now that technology is an imperative in our personal and professional lives, it is also a necessary part of education. More than that, technology is making it possible for more students and teachers across the country to collaborate, create, and get access to high quality resources. At the same time parents and policymakers are increasingly concerned about the student data those tools create and track. How can a classroom teacher or a building level administrator who knows and loves education technology balance student privacy with powerful student learning? ConnectSafely and the Future of Privacy Forum have partnered to write The Educator’s Guide to Student Data Privacy. The authors wanted to create an easily accessible resource that teachers and administrators could use right away. Using an online collaborative document, the authors integrated varied perspectives from classroom education, media, policy, connected technologies, and parenting. This guide includes a ten question checklist to help educators as they consider using a new tool with students, will make managing privacy manageable for educators. [Education Week] [PDF of Guide]

US – Federal Procurement Regs Adopt Simple Security Controls

This week the Federal Acquisition Regulations were updated to focus on basic security hygiene. [Source] [Pescatore blog]


WW – Survey: Baby Boomers Better at Password Security than Millennials

According to survey results, Baby Boomers – people aged 51-69 – are the demographic most likely to use the security best practice of having a unique password for each and every online account: 65% of respondents said they have 5 or more passwords across their online accounts, compared with just 44% of millennials (ages 18-34). The report didn’t give the figures on people ages 35-50, but it did say that only 16% of people follow best practices overall. [Source]

Smart Cars

CA – Tighter Rules Needed for Police Access to Event Data Recorders

Are tighter rules needed on recording devices in cars? ‘I think if a device is surveilling you … that there have to be restrictions on it’ Most vehicles built since the early 2000s contain event data recorders that silently log everything, such as braking, speed, steering and whether a seatbelt is buckled. …However, that constant data collection is raising questions. Both the Canadian Automobile Association and the Automobile Protection Association are asking for clearer rules on how that data is obtained and used by police, car manufacturers and insurance companies. [Source]


UK – 22 BILLION Police ANPR Photos Stored, 34 Million Added Daily

A police network of ‘Big Brother’ spy cameras takes photos of about 34million number plates each day, new figures have revealed. Around 9,000 surveillance cameras have been placed along Britain’s roads and senior officers claim they are invaluable in preventing and solving serious crimes and terrorist attacks. The Automatic Number Plate Recognition (ANPR) technology is also fitted to police vehicles, and is used to find stolen cars and tackle uninsured drivers. But privacy campaigners have argued that the system, which allows officers to access 22 BILLION records held for up to two years, is intrusive and heightens fears of an Orwellian surveillance state. Searches of the database by police officers have soared by more than 50% in just two years – from 194,317 in 2012 to 300,758 in 2014. In the last 12 months, evidence from ANPR cameras has been used in more than 200 court cases to secure convictions for a offences including robbery, kidnapping, drugs and murder. Information Commissioner raised questions about the scale of surveillance – But police forces say it is critical to monitor criminal activity on the roads [The Daily Mail]

EU – German Court Accepts Footage from Single Dashcam to Convict Driver

A decision by a German court to accept footage from a dashcam as the sole evidence to convict a driver who drove through a red light sparked a debate in the media on Friday about privacy and surveillance. …”After the court decision, might amateur ‘sheriffs’ now feel empowered to film and report people behaving badly?” the Sueddeutsche Zeitung wrote in a front page article on Friday. [Source]

CA – Winnipeg to Expand Back-Lane Cameras to Private Property

City administrators want permission to set up motion-activated cameras on private property to catch illegal garbage dumping. The city launched a pilot program last month in which cameras were set up on city property. So far, two cameras have been placed at dumping hot spots. Now, the administration wants the ability to place cameras on private property. Six mobile, high-definition cameras were purchased at a cost of $54,000. Images from the cameras can be downloaded remotely. The manufacturer states the cameras can capture clear images from up to 30 metres, even at night. The administration wants council to give its chief administrative officer the authority to approve legal agreements with private property owners. …Winnipeg lawyer Andrew Buck, who specializes in privacy law, said concerns about privacy violations need to be considered within the context of the neighbourhood concerns and the problems tied to illegal dumping. [City wants to boost effort to catch illegal dumping]

US Government Programs

US – OMB Helping Privacy Professionals Become More Tech Savvy

The Office of Management and Budget has been working to help privacy and security pros work together. OMB Senior Privacy Advisor Marc Groman said privacy and security can work “perfectly in concert” if professionals from both fields work on projects from their genesis. The OMB has started offering technical training to help privacy professionals have more meaningful roles in discussions. “It is my personal belief that you cannot be a privacy professional in 2016 and not understand tech,” Groman said. “And so we are building a technology curriculum for federal government privacy professionals so that when they sit across the table from all of you, as you’re building a new system or discussing enterprise architecture, they have a baseline understanding of tech, just like I hope you all will have a baseline understanding of privacy.” [FCW]

US Legislation

US – Federal Bill Proposed to Limit Use of Stingays

The federal bill requires State and local law enforcement agencies to conform to federal guidelines when using cell simulator devices H.R. Bill 5154 – Fourth Amendment Integrity Restoration (“F.A.I.R.”) in Surveillance Act 2016 was

  • introduced in the House of Representatives:
  • the bill was referred to the Committee on the Judiciary.

Any coordination or agreement between a Federal and State or local law enforcement agency, pertaining to the acquisition or use by that agency of any cell simulator device, must require that the use will conform to the guidance and policies that apply to the Federal agency on the use of such devices. [H.R.5154 – F.A.I.R. Surveillance Act of 2016]




12-19 May 2016


WW – Facebook Launches Facial Recognition App Without Facial Recognition Technology

Facebook is releasing its photo app Moments in Europe, but with some important changes in order to comply with EU privacy laws. While the U.S. version of Moments features facial recognition technology, the European version will not, in part because of Facebook’s battle with the Irish data protection commissioner over the legality of the technology. The app uses facial recognition technology to identify individuals within photos bundled from the same event. The European version will still group photos from a particular event, but users will have to manually tag their friends. One major difference allows European users to share their photos privately, in a move geared toward the more privacy-cautious EU userbase. [The Guardian]

US – FBI Doesn’t Want Privacy Laws to Apply to Its Biometric Database

The FBI has been building a massive biometric database for the last eight years. The Next Generation Identification System (NGIS) starts with millions of photos of criminals (and non-criminals) and builds from there. Palm prints, fingerprints, iris scans, tattoos and biographies are all part of the mix. Despite having promised to deliver a Privacy Impact Assessment of the database back in 2012, the FBI’s system went live towards the end of 2014 without one. That’s a big problem, considering the database’s blend of guilty/innocent Americans, along with its troublesome error rate. The FBI obviously hopes the false positive rate will continue to decline as tech capabilities improve, but any qualms about bogus hits have been placed on the back burner while the agency dumps every piece of data it can find into the database. The FBI has shown little motivation to address Americans’ privacy concerns by providing an updated Impact Assessment (the one it does have dates back to the program’s inception in 2008), but has wasted no time in alerting legislators about its own privacy concerns. On Thursday, the Justice Department agency plans to propose the database be exempt from several provisions of the Privacy Act — legislation that requires federal agencies to share information about the records they collect with the individual subject of those records, allowing them to verify and correct them if needed. The DOJ’s comments reflect the FBI’s desire to keep its newest tracking toy as secret as possible. It asks for a number of exceptions and justifies those with the same excuses it uses to withhold information from both courts and FOIA requesters. [Source]

UK – PwC White Paper Points to Best Privacy Practices When Using Biometric Matching for Authentication

Nok Nok Labs, a member of the FIDO (Fast IDentity Online) Alliance, published a White Paper from PwC Legal comparing key privacy implications of on-device and on-server matching of biometric data. For organisations considering biometrics as they move away from reliance on usernames and passwords, the report highlights why device-side matching of biometric data is a compelling approach to satisfy key privacy requirements on cross-border personal data transfers, as well as providing the benefits of individual choice and control around such personal data. Other key findings in the White Paper include:

  • Freely given, informed user consent is required before processing biometric data in almost every jurisdiction covered in the White Paper
  • With centralised storage of biometric data, the potential for large-scale loss of data is significantly increased
  • On-device authentication will generally avoid international cross-border biometric data transfer implications. Conversely, on-server authentication for a global network of biometric users results in international transfers of data; transfer of personal data, including biometric data, out of a jurisdiction is generally restricted

“Biometrics are a compelling way to improve mobile application usability and avoid the security pitfalls of username/passwords, but significant privacy concerns come into play,” said Phillip Dunkelberger, President & CEO of Nok Nok Labs. “With biometrics, it is crucial to understand the difference between on-device and on-server matching, as the difference between the two approaches significantly affects the risk and exposure of data in a breach. The on-device approach, as used by Nok Nok Labs technology, ensures optimal privacy for biometric information.” [Source] [FedScoop: PwC Study: Device-Side Biometrics Preferred Over Server-Side]

AU – OAIC Seeks Feedback on Draft Guide to Big Data & Privacy

The Office of the Australian Information Commissioner is seeking feedback on a draft guide to the interaction between so-called big data and Australian privacy law. In particular, the draft examines how the Australian Privacy Principles (APPs) apply to big data. “There is no doubt that big data practices challenge us to think about how key existing privacy principles — including notice and consent, data collection, use limitation, and retention minimisation, — work in practice,” acting Australian Information Commissioner Timothy Pilgrim said. “However, the APPs [Australian Privacy Principles] are technologically neutral, and structured to reflect the entirety of the information lifecycle. This means entities have the flexibility to tailor their personal information handling practices to respond to the privacy challenges of big data uses.” “The draft guide is aimed at facilitating big data activities while protecting personal information. It encourages entities to take a risk management approach and to use existing privacy tools to get privacy right for big data,” Pilgrim said. [Source] The document is available from the OAIC’s website. The deadline for submissions on the draft is 26 July.


CA – OPC Starts Consultations on the Realities of Customer Consent

“It seems clear that reading privacy policies could be a full-time pursuit with untold hours of overtime,” federal privacy commissioner Daniel Therrien told a privacy conference in Toronto. “It is no longer entirely clear who is processing our data and for what purposes – creating challenges for meaningful consent.” That’s why his office has started a consultation with chief privacy officers and other executives, researchers as well as the public on whether the consent model — largely instituted by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) — should be improved or should there be more focus on accountability and ethical uses of personal information by organizations, which would place the responsibility for oversight on regulators. [Source]

CA – OPC Releases Publication Highlighting Independent Privacy Research Projects Funded by Contributions Program

The Office of the Privacy Commissioner of Canada (OPC) has released the latest edition of Real Results—a publication highlighting the innovative and socially relevant independent privacy research and knowledge translation projects funded by the OPC Contributions Program over the past few years. The new edition of Real Results features funded projects that explore a range of emerging privacy issues—police background checks, the use of genealogical information, and telematics systems in cars—as well as some innovative approaches for helping young people learn to protect their privacy. The stories feature key findings of the projects, as well as commentaries and ideas from the researchers themselves that illustrate the issues and the impact of their work. The OPC Contributions Program funds independent privacy research and related knowledge translation initiatives. These projects not only advance the collective knowledge on privacy, they provide real, tangible research results that Canadians can use to make decisions about privacy protection in their own lives. To explore all research and knowledge translation projects funded by the OPC Contributions Program, see the Contributions Program projects listed by year on our website. [Source]

CA – NWT Government Seeking Comments on Reforms to ATIPPA

The Department of Justice for the Northwest Territories has issued a consultation on reform of the Access to Information and Protection of Privacy Act. Comments will be accepted until June 15, 2016. A comprehensive review of the Act is being conducted to address identified issues related to the purposes of the Act, the scope of the Act, time limits for responding to access to information requests, mandatory and discretionary exceptions to disclosure, circumstances allowing disclosures of personal information, the powers of the IPC, and current levels of fines for offences under the Act. [NWT Government – Public Engagement on the Comprehensive Review of the Access to Information and Protection of Privacy Act]

CA – Gov’t Minister Veto Could Trump Proposed Info Commish Powers

The Liberal government is floating the idea of a ministerial veto over planned new powers for the information commissioner — a move that would give cabinet the power to block release of documents. …Currently the commissioner, an ombudsman for users of the access law, can investigate complaints and recommend that records be released. But she cannot force a government agency to do so, and must head to court to pursue the matter further. Provincial commissioners in British Columbia, Alberta, Ontario, Quebec and Prince Edward Island have the power to order the release of government information. Many openness advocates have called for the federal commissioner to have similar authority. [Source]

CA – Quebec Info Commish Blasts School Board Over Data Sent to US

Quebec’s Information Commissioner has condemned Lester B. Pearson School Board (LBPSB) for sharing confidential personal information far too freely. Judge Cynthia Chassigneux ruled that LBPSB grossly violated its stakeholders’ rights by sharing their personal information with a private California database firm Blackboard Connect, where it is subject to disclosure to American authorities under the Patriot Act. [The Suburban]

CA – Ontario Court of Appeal to re-Examine Shielding Data from US Probes

What happens to data being stored in Canada and whether it can be accessed by foreign law enforcement agencies is a question Canadian courts are currently grappling with. Two decisions — one in Ontario, the other in British Columbia — have determined that information held in servers in Canada can’t be shielded for review by American investigators. But the Ontario Court of Appeal has decided to re-examine one of those cases. [Law Times]

CA – BC Court of Appeal Rules on Privacy, Technology, and Instant Messaging

In its recent decision R. v. Craig, 2016 BCCA 154, the B.C. Court of Appeal recognized a reasonable expectation of privacy in private instant messages shared on a social network. Even though the context was criminal law, the reasoning underlying the decision is of interest to any practitioner confronted with protection of privacy issues. This bulletin discusses this case first by presenting the facts, followed by the legal issues, the “reasonable expectation of privacy” test, and the court’s guidance for the future. “In our opinion, this decision can be summed up in two words as it pertains to reasonable expectation of privacy: tradition and progress. Legal tradition, because the Court of Appeal reiterated and affirmed the doctrine of confidentiality in private communications: the sender is not supposed to know that the recipient will share the message with third parties. Technical progress, because the Court of Appeal applied this doctrine, with the necessary adaptations, to the digital universe, by explaining that private instant messages shared on a social media website are entitled to an objective expectation of privacy. Most importantly, from a much broader perspective, this principle would apply to any private technological communication.” [Fasken]

CA — OPC Releases Survey Results on Canadian Businesses

The Office of the Privacy Commissioner of Canada recently commissioned a telephone survey of 1,016 Canadian companies to find out how Canadian businesses fare with their privacy knowledge and protections. The informative report on the survey is the 2015 Public Opinion Research with Canadian Businesses on Privacy-Related Issues. Canadian businesses report increased knowledge of privacy issues, but little progress in implementing privacy policies or response plans for data breaches – placing them at risk for new enforcement activities and fines. [Source]

CA – RCMP Surveilled Journalists for 9 Days Without Authorization

Mounties probing CSIS leak conducted unauthorized surveillance of 2 journalists Officers spent 9 days watching Ottawa-based journalists, new document reveals. Only after the surveillance of the reporters had occurred did officers ask their RCMP bosses for the required permission. They were immediately denied authorization, and told to cease the surveillance. The bombshell revelation about a national police agency spying without authorization on Canadian journalists appears in a document obtained by CBC News under the Access to Information Act. The partly censored briefing note for Public Safety Minister Ralph Goodale was written after media reports appeared last November detailing Project Standard. That was the official name of the Mountie probe into the leak of a 2003 secret document, created by the Canadian Security Intelligence Service (CSIS), to journalists working for the Montreal newspaper La Presse. [CBC] [Trudeau: ‘Unacceptable’ That Rogue Canadian Cops Spied on Two Journalists] See also: [Mulcair calls for inquiry into RCMP surveillance of journalists] [RCMP commissioner speaks out on unauthorized surveillance]

CA – Privacy Laws for Mental Health Care in Nova Scotia Could Soon Be Reviewed

The governing Liberals are ready to examine whether Nova Scotia’s privacy law is preventing young adults from getting the support they need when they are suffering from a mental illness. The issue was front and centre at Province House on Tuesday during a visit to the legislature by Carolyn Fox. Her daughter, Cayley, 21, killed herself on Jan. 22. [Source] See also: [Nova Scotia mental health care privacy laws unlikely to change: former health czar]


CA – Ipsos Survey Finds Most Canucks Don’t Trust Gov’t With Their Info

A majority of Canadians believe that their personal, confidential information held by all levels of government is vulnerable to a security breach, including non-authorized internal access or an external data hack and theft, according to a new Ipsos poll conducted on behalf of Accenture. Municipal governments top the list, with 56% of Canadians describing them as vulnerable (16% very/41% somewhat) to threats when it comes to personal data for things such as property tax, water/sewage and traffic fines. A minority (44%) does not see their information as vulnerable (9% not at all/34% not very). Other levels of government don’t perform much better, as many feel the same way about their provincial government, which stores confidential data for drivers’ licenses, health cards and birth certificates: a slim majority (55%) say entities at the provincial level are vulnerable to data security breaches (20% very/35% somewhat), while nearly half (45%) say they aren’t vulnerable (13% not at all/32% not very). When sharing their personal, confidential data with the Federal government – for anything from taxes to SIN cards to passport renewals – 53% of Canadians feel their data is vulnerable to a security breach (20% very/33% somewhat), while fewer than half (47%) do not (15% not at all/32% not very). While most Canadians likely trust their doctor, many are less convinced about the security of their health records. Half (55%) feel records held at their doctor’s office or hospital are vulnerable (20% very/35% somewhat) to a security breach, while 45% do not (14% not at all/31% not very). Other institutions are not exempt from data protection concerns. Half of Canadians (52%) feel their hydro electricity provider is vulnerable to a data security breach (14% very/38% somewhat), while the other half (48%) does not feel their information held by their hydro provider is vulnerable (10% not at all/38% not very). [Source] [Press Release | Detailed Tables 1 | Detailed Tables 2

US – NTIA study: Privacy Concerns Curtailing Americans’ Online Activity

A National Telecommunications & Information Administration survey found Americans are concerned about online privacy and security and are curtailing their activities as a result. The survey revealed 19% of Internet-using households, equaling around 19 million, have been hit by a negative event, including a security breach or identity theft in the 12 months before the July 2015 survey. When asked about online concerns, 84 percent of participants named at least one online security concern, with identity theft cited as the most pressing issue, coming in at 63%. These fears are affecting online habits, the report states, as 45% of households said concerns stopped them from activities such as financial transactions, posting on social media or buying goods or services, with 30 percent saying it stopped them from performing at least two of those actions. [NTIA] [Privacy And Security Concerns Are Keeping Many Americans Offline]

UK – High-Profile Data Breaches Affecting Consumer Trust in Big Brands

A survey of 1,000 UK consumers commissioned by FireEye has revealed that last year’s high-profile data breaches have dented long term consumer trust in major brands. Findings highlighted rising public concerns over a perceived lack of board-level concern for data privacy, with almost three quarters (72%) of consumers stating that they were likely to stop purchasing from a company if a data breach was found to be linked to the boardroom failing to prioritise cyber security. A data breach linked to a lack of board-level attention was deemed less acceptable than if a data breach had occurred as a result of human error – with only 38% of consumers stating that they would be likely to stop purchasing if this was the reason. 29% of consumers said that data breaches had diminished their loyalty as current or potential customers of affected brands, and 38% said that they felt more negatively about companies that suffer data breaches, indicating that consumers are still largely viewing the organisations breached as the parties at fault, rather than victims of cyber crime. In addition to this, over a quarter of consumers (27%) indicated that persistent data breaches have negatively affected their perception of organisations that they buy from in general, indicating that persistent reports of data breaches is not just harming the reputation of affected organisations, but having a wider impact on consumer trust. The findings also reveal the potential long-term financial impact of data breaches on major brands, with 52% of consumers warning they would take legal action against companies if a data breach resulted in their personal details being stolen or used for criminal purposes. 62% of consumers also reported that they will now share fewer personal details with companies, which could hit the revenues of organisations – from social media platforms to search engines – that rely on collecting detailed consumer data for advertisers. [Source]


AU – Vic.P.Commish Says Compulsory Census A Bad Precedent

Australian jurisdictions are highlighting privacy and data control this month, but disquiet remains about The Australian Bureau of Statistics’ recent reversal of a longstanding policy and plan for mandatory retention of names and addresses with this year’s national census. Victoria’s privacy chief worries compulsory collection of information for purposes other than law enforcement “could set a really bad precedent”. The census collects a huge array of personal data in one place — a potential honeypot for those involved in identity crime. “One of the privacy principles is data minimisation and that’s contrary to what the census is about, so I have reservations about it,” he says. [Source] [CA— Ex-MP Dean Del Mastro says long-form census may violate right to privacy]

CA – Microsoft Opens Azure Cloud Floodgates for Canadian Businesses

Microsoft has finally made its Azure Cloud services generally available in Canada post a short limited availability experiment in March. To provide Canadian businesses with the satisfaction that their data isn’t leaving the country, all users will be provided cloud services through local datacentre regions located in Toronto and Quebec City. Microsoft has also said that its Office 365 customers will also be provided data residency through the local datacentres. “With so much momentum in the cloud, we are thrilled to welcome Bell Canada as the first Canadian telecommunications partner for Azure ExpressRoute,” said Canadian MSFT CEO Janet Kennedy. [Source]


CA – CRTC Fines Company $194,000 for Unsolicited Telemarketing Calls

The Canadian Radio-television and Telecommunications Commission issued a Notice of Violation to Thee Future Web Ltd. for violations of the Unsolicited Telecommunications Rules. The company made calls to individuals registered on the National Do Not Call List, had not registered or subscribed to the Do Not Call List, and did not provide the appropriate information in a clear manner upon reaching the individual. [CRTC – Notice of Violation – Thee Future Web Ltd] See also: [CRTC Fines Company $30,000 For Unsolicited Telemarketing Calls: Notice of Violation – Century 21 Innovative Realty Inc.] and [CRTC Fines Company $65,000 For Unsolicited Telemarketing Calls: Notice of Violation: Right at Home Realty Inc. – PDR 9174-1603]

Electronic Records

SA – South Africa: 32% of Business Not Confident in Cloud Data Security

Despite the many benefits of moving to the cloud, South African businesses are still hesitant to make the transition. There is still much uncertainty about the move and how it will affect business. …Here are five extra reasons why adopting the cloud could work for your business. According to Vodacom Business, 32% of South African businesses are not confident that data is secure when using a cloud service. There are several reasons why wariness of transitioning to the cloud exists such as:

  • Loss of control.
  • Handing the performance of your business over to a 3rd
  • What if the system fails?
  • What position will the business be in if it isn’t able to perform?
  • The fear of operations being affected.
  • Security concerns. [Source]


EU – Europol Director: Encryption Affects 75% of Agency’s Cases

Rob Wainwright, director of Europol, says encryption is a major problem in most of the cases the agency handles, Motherboard reports. Wainwright responded to an op-ed written by John Naughton for the Guardian on Twitter, proclaiming how encryption has been plaguing Europol cases. “Encryption dilemma must be solved soon. Real problem in 75% of all Europol cases” Wainwright tweeted. While Wainwright did not elaborate on the types of encryption troubling Europol, Claire Georges, a member from the agency’s corporate communications, said technology such as Tor and bitcoin are part of the problem. “Technology in general is used not only by cybercriminals, but also by drug dealers, child sexual offenders and other criminals involved in different illegal activities. Encryption is commonly used in secure communications and is becoming a standard protection feature in many products, such as e-wallets for virtual currencies,” Georges said. [Full Story]

EU Developments

EU – European Court Advisor: Dynamic IP Addresses Are Personal Data

Dynamic IP addresses are subject to privacy protection rules, the EU Advocate General said in a non-binding opinion. …The opinion, issued by Advocate General Manuel Campos Sánchez-Bordona, is online but has yet to be translated into English. The advocate general’s opinions are non-binding but they typically dictate how the European Court of Justice will rule. [Electronic Privacy Information Center] [CBS] [EU Advocate General Considers “Dynamic IP Addresses” as “Personal Data”: an Extension of Personal Data Scope?]

UK – ICO Issues Guidance for Direct Marketing by Charities & Business

Following a year that saw investigations into direct marketing by charities and a change in the law that led to the UK Information Commissioner’s Office setting record fines for nuisance calls and texts, ICO’s recent update of its guidance on direct marketing comes at a critical time. In light of the new guidance – as well as the new EU data protection regulation and expected review of the e-privacy directive – it’s more important than ever that those involved in direct marketing understand how to apply this complex area of law. Most of the new guidance focusses on helping charities to comply with the law, but it also gives helpful clarification for businesses that do direct marketing: particularly on the issue of what constitutes consent to use data, including ‘indirect’ consent. This article highlights the changes to ICO’s guidance, and what else is on the horizon that might affect how businesses conduct direct marketing. [Source]

Facts & Stats

UK – Survey Finds Brits ‘Confused’ About Security & Privacy Priorities

An F5 survey exploring the attitudes of data and security handling found half of UK respondents agree that tech firms should prioritise national security over consumer privacy. Only 26% of Brits agreed that privacy should be prioritised over security. The survey found that two-thirds of respondents were concerned about their privacy being compromised, while 72% had no confidence in social networks to protect their data from hackers effectively. But despite this, more than half were willing to share personal information for free access to a company service. People it seems are willing to share date of birth (53%), marital status (51%) and personal interests (50%) in return for a free service. But almost a third (31%) see no value in giving their personal data to companies. Nearly all consumers (88 percent) feel strongly that organisations should improve authentication for greater security. [Source]


WW – Study: Google has denied 75% of RTBF requests

The organization behind the right to be forgotten application site, Reputation VIP, has released a new report which found in the two years since Google began accepting RTBF requests, the company has refused 70 to 75 percent of them. Germany and U.K. residents most frequently make RTBF entreaties, the report states. While “invasion of privacy” tops the catalyst for most applications, “Google most frequently denies removal requests that concern professional activity,” the report states. “Following that, Google often denies requests where the individual involved is the source of the content sought to be removed.” [Search Engine Land]


AU – Database Makes Australian Credit Scores Public

A new credit rating database allows Australians to look up the credit scores of other civilians by address. Dubbed Georisk, the publicly accessible system exists for companies to “keep track” of consumers’ financial history while helping predict customers’ credit worthiness. It then ranks the scores on a risk factor from one to 10. The database has frustrated privacy advocates, the report states. “I think most people are going to feel their privacy is being grossly invaded by public disclosure of this information for anyone who wants to look at it for any purpose whatsoever,” said Civil Liberties NSW’s Stephen Blanks. [Yahoo7 News]

AU – Privacy Issues With Household Credit Ratings Posted Online

Civil libertarians have been left outraged by a public database which shows household credit ratings. It’s information anyone can look up, all that is needed is an address. Credit rating companies keep track of past financial behaviour to predict a person’s credit worthiness. Now companies are able to access a credit risk rating that has been applied to every household in Australia. Georisk aims to measure an individual’s financial risk, by putting consumers in a range from one to ten. The ratings are publicly available to anyone who wants to search it on a computer. Not everyone was pleased to know their information was publicly visible online. However the creators have defended the website, saying they weren’t offering anything that was sensitive to the individual. To see what your home’s credit risk rating is click here. [Video: Outrage over private household information being released on public database] [Source]

WW – Payday Loan Ads Prohibited on Google

Google will no longer permit “payday loan ads” on its site. The Wednesday announcement is a concession to critics who argue that the lending practices exploit “the poor and vulnerable,” the report states. They pose a privacy concern as well. “You search the Internet when you need help — and as a result you may give search engines some really sensitive information about your finances,” said Georgetown Law Center on Privacy & Technology’s Alvaro Bedoya. He called Google’s decision a “principled stance,” adding that it will set a precedent for other search engines. [Full Story]

WW – Verizon 2016 Report Confirms People Are #1 Source of Data Breaches

Verizon has just published its 2016 Data Breach Investigation Report. In preparation for this publication, Verizon reviewed more than 100,000 incidents (reported by a plethora of technology companies, law firms, government agencies, and insurance companies, as well as through its own investigations), of which 3,141 were confirmed data breaches. The report yielded several interesting trends. Not surprisingly, most data breaches are about money — thieves stealing data because of its value. 63% of confirmed data breaches involved leveraging weak, default, or stolen passwords, proving that data thieves will exploit vulnerabilities to take the easiest route. Phishing continues to trend upward. People seemingly just can’t help clicking on authentic-sounding “click here to reset your banking password” e-mails. For example, Verizon found 30% of phishing messages were opened, unfortunately an increase from 23% in 2014. 12% then proceeded to open the malicious attachment or click the link, no doubt to their peril. Overall, 95% of breaches, and 86% of incidents across all industries, predictably fell into nine identified patterns:

  • miscellaneous errors (17.7%),
  • insider and privilege misuse (16.3%),
  • physical theft and loss (15.1%),
  • denial of service (15%),
  • crimeware (12.4%),
  • web app attacks (8.3%),
  • point-of-sale intrusions (0.8%),
  • cyber-espionage (0.4%),
  • and payment card skimmers (0.2%).
  • the bucket “everything else” category covered 13.8%.

Interestingly, many of the data breaches reported were not caused by super-secret and sophisticated Mission Impossible-style attacks involving hacking or the wearing of black ninja gear while scaling walls. Instead, many breaches fall into what I think of as the “people are people” category — highlighting human greed/avarice and our basic capacity to make dumb mistakes. [Source]


CA – Court Rules Severance Payment Information Is Exempted from Disclosure Under New Brunswick FOI Legislation

The Court considered an appeal of the Access to Information and Privacy Commissioner’s decision recommending St. Thomas University release information requested under New Brunswick’s Right to Information and Protection of Privacy Act. The Court ruled that, contrary to the Privacy Commissioner’s recommendation, an organization does not have to disclose severance payment information to a requester; such information is neither a “benefit” (it does not bestow an advantage or betterment on a recipient) nor “discretionary” (it is made only to avoid or settle litigation). [Elizabeth Hans v. St. Thomas University – 2016 NBQB 049 – In the Court of Queen’s Bench of New Brunswick, Trial Division, Judicial District of Fredericton]

CA – Information Commissioner Opposes Government Veto Power Over Releasing Files

Information Commissioner Suzanne Legault says giving the government a veto over the release of files would turn her federal watchdog role into “a mirage.” Legault told a Commons committee studying reform of the Access to Information Act that she firmly opposes the idea of a ministerial trump card over proposed new order-making powers for her office. The Liberals promised the information commissioner could issue “binding orders” during last year’s election campaign. …[Now] the Liberal government is floating the notion of a veto that would give the federal cabinet power to block release of documents even if [Information Commissioner] Legault ordered disclosure. [Source]

WW – The Intercept Is Broadening Access to the Snowden Archive

The Intercept has announced two innovations in how they report on and publish the Snowden Archives. Both measures are designed to ensure that reporting on the archive continues in as expeditious and informative a manner as possible, in accordance with the agreements we entered into with our source about how these materials would be disclosed, a framework that he, and we, have publicly described on numerous occasions. The first measure involves the publication of large batches of documents. We are, beginning today, publishing in installments the NSA’s internal SIDtoday newsletters, which span more than a decade beginning after 9/11. We are starting with the oldest SIDtoday articles, from 2003, and working our way through the most recent in our archive, from 2012. Our first release today contains 166 documents, all from 2003, and we will periodically release batches until we have made public the entire set. The documents are available on a special section of The Intercept. Accompanying the release of these documents are summaries of the content of each, along with a story about NSA’s role in Guantánamo interrogations, a lengthy roundup of other intriguing information gleaned from these files, and a profile of SIDtoday. We encourage other journalists, researchers, and interested parties to comb through these documents, along with future published batches, to find additional material of interest. Others may well find stories, or clues that lead to stories, that we did not. (To contact us about such finds, see the instructions here.) A primary objective of these batch releases is to make that kind of exploration possible. Consistent with the requirements of our agreement with our source, our editors and reporters have carefully examined each document, redacted names of low-level functionaries and other information that could impose serious harm on innocent individuals, and given the NSA an opportunity to comment on the documents to be published (the NSA’s comments resulted in no redactions other than two names of relatively low-level employees that we agreed, consistent with our long-standing policy, to redact). Further information about how we prepared the documents for publication is available in a separate article. We believe these releases will enhance public understanding of these extremely powerful and secretive surveillance agencies. [Source]

US – Appeals Court: DPPA Doesn’t Cover Traffic Accident Reports

A Wisconsin state appeals court has ruled that the Driver’s Privacy Protection Act doesn’t require law enforcement agencies looking to comply with open records laws to redact names from accident reports. DPPA in fact includes an exception for unredacted, non-Department of Motor Vehicles-supplied accident reports. The ruling came at the relief of Wisconsin officials who had “begun blacking out drivers’ names and other information that normally would be public in accident reports” for fear of DPPA violations, the report states. The court did, however, encourage a state circuit court to decide if the unredacted traffic accident information served a purpose beyond compliance, the report adds. [FierceGovernmentIT]


US – Vanderbilt Receives $4M to Study Genetic Data Privacy

The National Institutes of Health awarded researchers at the Vanderbilt University School of Medicine a $4 million, four-year grant to study the privacy ramifications surrounding genomic data use. “We’re really broadening our horizons to think about how history and public opinion and literature affect the way individuals and communities think about privacy concerns,” said primary investigator Ellen Wright Clayton. “Ultimately, the goal is to develop policy recommendations that address the complexity of what’s at stake.” Johns Hopkins University, University of Utah, and University of Oklahoma also received similar grants, the report states. [EurekAlert!

Health / Medical

CA – OIPC SK Releases Comprehensive Guidance for Health Information Protection Act

The OIPC SK has provided trustees with guidance to interpret The Health Information Protection Act, including:

  • guidance on when to disclose personal health information to family and friends;
  • guidance on de-identified PHI;
  • guidance on faxing PHI;
  • recommended safeguards;
  • best practices for data sharing agreements; and
  • privacy breach guidelines.

The guidance includes circumstances under which PHI may be disclosed to family/friends, de-identification of PHI (including an explanatory list of techniques), considerations for data sharing agreements with providers, recommended security measures (including faxing considerations), and a 4-step privacy breach process. [OIPC SK – IPC Guide to HIPA]

WW – Providers Seek Cloud Solutions for Healthcare Data Security

Healthcare data security has become a top priority for IT professionals when it comes to investing in cloud applications in 2016, reported the survey. In the 2014 survey, only 31.3% of survey participants stated that their organization planned on investing in cloud solutions for disaster recovery purposes, which often includes healthcare data security measures. Researchers also found that respondents were implementing cloud services to develop more comprehensive incident recovery plans. When participants were asked to assess the motivation factor from 1 (least motivating) to 7 (highly motivating), healthcare data security response was evaluated at 5.11. [Source]

WW – Healthcare Suffers Estimated $6.2 Billion in Data Breaches

Nearly 90 percent of healthcare organizations were slammed by a breach in the past two years. …The most commonly exposed data in healthcare breaches are medical records, followed by billing and insurance records, and payment information. Some 64% of attacks targeted medical files and billing and insurance records, up from 45%. Nearly 40% of healthcare organizations and 26% of their business partners say they know of medical identity theft incidents affecting their patients and customers, but 64% of healthcare organizations don’t offer credit protection services for victims, and 67% of business partners don’t have procedures in place to correct errors in medical records—a gap that could be life-threatening in the case of an identify thief using a patient’s medical information for fraudulent purposes, the Ponemon report notes. [Source] [Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute]

Study: 90% of Health Care Organizations Suffered Data Breach

A Ponemon Institute report found nearly 90% of health care organizations suffered at least one data breach during the past two years, costing the industry $6.2 billion, InformationWeek reports. Ponemon’s “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data” discovered 79% of those organizations suffered two or more breaches, with 45% saying they had been hit by more than five breaches. With most of the breaches exposing less than 500 records, the incidents are not reported to the Department of Health and Human Services. The report also discovered health care budgets for security have either dropped, or remained the same during the past year. In related news, Vormetric released a study revealing 90% of security pros in the financial sector feel vulnerable to data threats, with 44 percent already experiencing a breach. [Full Story] [The Star reports on the first person ever charged under Ontario’s new health care privacy law.]

US – World Privacy Forum Questions Adequacy of PMI Privacy Principles

The World Privacy Forum says privacy principles set forth for the Precision Medicine Initiative “lack detail and fail to address underlying legal requirements and protections.” In a research paper published this week, the organization notes that the HIPAA Privacy Rule will not apply to the research, and that the principles “appear to be voluntary and lack important legal and administrative details.” The current privacy principles in place for the initiative were created by the White House with help from experts working both inside and outside the government. They include categories such as transparency to participants and the public; respect for participant preferences; and appropriate data sharing, access and use. In the paper, WPF outlines its privacy concerns for the PMI and identifies issues that should be addressed. Some recommendations the authors make include:

  • The structure and organization of the initiative must be detailed so privacy protections can be assessed, and participants must know who will maintain their data.
  • Uses and disclosures of the data for security and law enforcement purposes should be clarified.
  • There is “immediate need” for a Privacy Impact Assessment, which then should be open for public comment.
  • Privacy rules should be described as covering health records, administrative records and monitoring from health devices and mHealth tools. [Source]

Horror Stories

WW – LinkedIn Resets Passwords as 117M Logins for Sale on Dark Web

LinkedIn has confirmed a significant breach from 2012 was worse than first thought, with the number of leaked usernames and passwords rising from 6.5 million to a purported 117 million. Earlier this week, fresh LinkedIn credentials went on sale on a dark web market known as The Real Deal. 117 million LinkedIn usernames and passwords will cost 5 Bitcoins, worth approximately $2,200. LinkedIn is in the process of resetting user passwords for every member who joined before 2012 who had not changed their password since the previously-reported breach. It confirmed the action in a blog post, in which it added: “We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.” [Forbes]

Identity Issues

US – Firms Suffering Data Breaches Can Tap Free Customer Fraud Protection

Organizations that suffer data breaches may now be able to offer free fraud protection to their customers through a new program announced this week. Austin, Texas-based data security and analytics company XOR Data Exchange has launched a new platform, the Compromised Identity Exchange, which “aims to protect U.S. consumers, businesses and government entities from data breach-related identity theft and fraud.” Participation in the exchange is free to organizations that have suffered a data breach of personally identifiable information in order to drive widespread protection for breach victims. According to the firm, The Compromised Identity Exchange synthesizes breached records with ongoing fraud analysis to offer banks, financial lenders and other service providers “unprecedented insight into which of their accounts and applications carry a higher risk of fraud related to one or more data breaches.” It does this without the need for ongoing data sharing from breached entities, the firm stressed. [Source]

US – Stanford Study: Basic Phone Logs Can Reveal Your Intimate Details

Following Edward Snowden’s revelations about surveillance, officials have downplayed its programs as being concerned not with the actual content of email or phone calls, but “just” with collecting metadata, as if metadata didn’t reveal just about as much about us as does the content itself. Metadata, when it comes to phone communications, includes who we call or text, who they contact (that’s called a “hop”), when we call or text, and the duration of each call or length of each message. Since the surveillance revelations, there have been various studies about how much can be gleaned about us from metadata. The answer: a lot. Now, researchers at Stanford University in the US have done another study, and their findings confirm that basic, supposedly anonymous phone logs can be used to glean people’s names, where they live, their partners’ names, and intimate personal details. A sample of the researchers’ vignettes show the type of things they managed to infer:

  • Somebody’s planning to grow weed. Within less than 3 weeks, the subject made calls to a hardware outlet, locksmiths, a hydroponics store, and a head shop.
  • Somebody’s got heart problems. The evidence included a long call from the cardiology group at a regional medical center, brief calls with a medical laboratory, several short calls from a local drugstore, and brief calls to a self-reporting hotline for a cardiac arrhythmia monitoring device.
  • Somebody’s pregnant. Early one morning, the subject was on the phone with her sister for a long time. Two days later, she called a nearby Planned Parenthood clinic several times. Two weeks later, she placed more brief calls to Planned Parenthood, and she placed another short call a month after.

The study involved 823 participants who volunteered to have their metadata collected via an Android app on their phones. The researchers also required participants to have a Facebook account, so as to verify that they were over the age of 18, as well as to verify the accuracy of their results. [Naked Security] [TechCrunch][“Evaluating the privacy properties of telephone metadata“]

US – Feds & States Continue to Expose SSNs on Mailed Documents

Americans Collecting Disability and Unemployment are at Risk of Identity Theft. Members of the FTC and consumer groups criticized the Employment Development Department’s (EDD) practice of using the numbers as identifiers on mailed documents and state lawmakers from both sides of the aisle demanded the EDD make changes. The coverage ultimately shamed the EDD into doing what it had long insisted was impossible. Three months after our first report, the agency began redacting social security numbers on the most commonly mailed documents. However, now we’ve discovered the EDD is still printing the number on many other mailed documents, including those sent to claimants collecting disability. The EDD is not alone in mailing sensitive information. ConsumerWatch reached out to every state in the nation and only 8 of the 42 states that responded say they redact Social Security numbers on all mailed documents. Like California, 17 admit they still mail the full number on documents to both claimants and employers. Another 17 states say they only print the full SSN on documents mailed to employers. However, that is just as concerning for many who don’t trust that their former employers will take the same care that they would to properly dispose of the documents. [Source]

Intellectual Property

CA – Ann Cavoukian Launches Global Council on PbD Standards

Ann Cavoukian, former Ontario, Canada information and privacy commissioner, will form a new international council to advocate and set standards for privacy by design. The International Council on Global Privacy and Security: By Design will work with companies, national privacy commissioners and technology professionals to educate the public and raise awareness for privacy by design. Cavoukian set out three goals for the council:

  •  educate politicians, businesses, government, media and the public that systems can and must be engineered to protect both privacy and security;
  •  create policy templates that can show how privacy can be applied to technologies in the digital age; and
  •  foster technology innovation in academic institutions around the world to foster privacy and public safety, as well as privacy and business interests, such as big data and data analytics, without sacrificing either privacy or security. [Source]

Internet / WWW

WW – Study: Facebook, Google own top-used third parties

Google and Facebook-owned third parties are among the top-used on the Internet’s most-viewed sites, a new study from the Princeton Web Census shows. “Google owns seven of the 10 most loaded third-party domains,” the report states, adding Google Analytics was by far the most popular. “The remaining three are all owned by Facebook.” While the study found the amount of third parties a typical Internet user would engage with is “relatively small,” new websites are among those with the highest number of trackers. “Since many of these sites provide articles for free and lack an external funding source [these sites] are pressured to monetize page views with significantly more advertising,” the study states. [Full Story]

Law Enforcement

US – National Institute of Justice to Review Body Worn Cameras, Seeks Input
The National Institute of Justice (“NIJ”) is soliciting information in support of the upcoming National Criminal Justice Technology Research, Test, and Evaluation Center (NIJ RT&E Center) “Market Survey of Body Worn Camera (BWC) Technologies”; input is due May 31, 2016. [Source]


WW – Study: Just 8 Tweets Can Reveal Precise Location

MIT and Oxford University researchers say with just eight tweets, “a relatively low-tech snooper” can deduce a user’s whereabouts using location stamps. A paper presented by researchers Ilaria Liccardi, Alfie Abdul-Rahman and Min Chen at a recent conference says while Twitter’s location notation is opt-in, many users reportedly engage the services. “With this study, what we wanted to show is that when you send location data as a secondary piece of information, it is extremely simple for people with very little technical knowledge to find out where you work or live,” Liccardi said. Their work was a part of MIT’s Internet Policy Research Initiative, a program geared toward increasing social media privacy awareness. [MIT News]

Online Privacy

WW – Researchers Publish Information on Nearly 70,000 OkCupid Users

Nearly 70,000 OkCupid users had their data published by researchers, including their usernames, location, sexual turn-ons and sexual orientation. Two Danish researchers, Emil O. W. Kirkegaard and Julius D. Bjerrekær, collected the data from the dating website using a scraper, a tool saving certain segments of a Web page. The scraper targeted random profiles who had answered numerous OkCupid multiple-choice questions. While the researchers’ actions were legal, criticism has been levied at the project. Scott B. Weingart, digital humanities specialist at Carnegie Mellon University, said in a tweet he could use the information to re-identify the actual identities of OkCupid users. Weingart claimed he could with 90 percent accuracy connect sexual preferences and histories to real names of over 10,000 of the OkCupid users. [MotherBoard]

WW – OKCupid Study Raises New Questions About ‘Public’ Data

When you sign up for a dating website, you are making your information available for other users to see. But does that mean your information is “public”? Experts are now mulling this question after a group of researchers released a data set of nearly 70,000 users from the online dating site OkCupid. The researchers used a “scraper,” or a browser extension designed to collect data from web pages, to collect the data. In other words, they collected the data without OkCupid’s permission, breaking the site’s terms of usage and the Computer Fraud and Abuse Act. The data was uploaded on Open Science Framework, an online forum that encourages researchers to share data for easy collaborations, but it has since been removed. The scraped data revealed many user details including name, age, gender, religion, and detailed information about users’ habits and preferences. When asked whether the researchers took measures to anonymize the data, Mr. Kirkegaard, the lead researcher responded, “No. Data is already public… All the data found in the dataset are or were already publicly available, so releasing this dataset merely presents it in a more useful form.” But even if the data is available to other users, should it be shared publicly? Some experts don’t think so. While OkCupid lets registered users view profiles of other users on the site, that doesn’t justify anyone releasing this information to the public, they say. In this case, the researchers breached the ethics of Social Science Research, which requires researchers to obtain consent from subjects as well as ensure that researchers are maintaining confidentiality before they can publicly share personal information. The OkCupid profiles include very personal information on everything from political views to sexual habits. OkCupid asks its users hundreds of questions to help its algorithm generate better matches. Though the researchers didn’t release real names with the data, just profile user names, that is not considered maintaining confidentiality, say experts. One Twitter user claimed that he could link some bits of data to actual names of more than 10,000 users on OkCupid. [The Christian Science Monitor] See also: [OkCupid Study Reveals the Perils of Big-Data Science]

WW – Study: 16% of Apps Access Info Sans Consent

Deloitte published its annual privacy index 10 May, which found that of 88 brands’ apps, from various industries in Australia, 16% accessed users’ phone data without notifying them. The surveyed brands were not named, although Deloitte’s Tommy Viljoenhen called them among “the most trusted.” He added, “What’s happening with the brands we don’t know about? As consumers, are we even aware of the extent to which information is being collected without our knowledge?” [Mashable]

Other Jurisdictions

US – Report: Schools ‘Soft Targets’ for Data Collection

A new report details how schools are “soft targets” for companies looking to obtain data and market to children. “Learning to be Watched: Surveillance Culture at School,” from the National Center for Education Policy at the University of Colorado at Boulder, discusses how student privacy has been compromised by organizations creating relationships with schools, often through free technology. The report also discusses how laws created to protect student privacy, including the Children’s Online Privacy Protection Act, have major weaknesses. “Schools have proven to be a soft target for data gathering and marketing. Not only are they eager to adopt technology that promises better learning, but their lack of resources makes them susceptible to offers of free technology, free programs and activities, free educational materials, and help with fundraising,” the report said. [The Washington Post]

Privacy (US)

US – SCOTUS on Spokeo: Life Just Got Harder for Class-Action Lawyers As Court Rejects ‘No-Injury’ Cases

Plaintiff lawyers who have built a lucrative business over the past few decades suing companies over minor legal breaches that arguably harmed no one may have a tougher time bringing cases following the U.S. Supreme Court’s decision in Spokeo v. Robins, requiring plaintiffs to plead a “concrete” injury to proceed in federal court. The decision wasn’t a complete win for corporate defendants as the court left plenty of room for creative lawyers to craft complaints that allege their clients suffered an injury, no matter how small, from miscues like data breaches or incorrectly worded mortgage documents. But by stating clearly that some injury is required under Article III of the Constitution, the court may have ended the long-profitable business of suing companies over nothing more than statutory damages provided under laws like the anti-robocalling Telephone Consumer Protection Act. Spokeo was sued by Thomas Robins, who claimed the online information site inflated his education credentials and made other errors that may have caused him to have a harder time finding a job. I say “may have,” since it is extremely unlikely any potential employers actually looked at his entry on Spokeo and Robins didn’t provide any evidence supporting the idea he was harmed. [Forbes] See also: [Brace for more class action challenges post-Spokeo]

US – EFF Releases Annual Report

The Electronic Frontier Foundation released its 2015 annual report, covering all of the work the organization has achieved during the past year. The group celebrated more than 500,000 installations of its Privacy Badger browser extension and the two-millionth certificate of its Let’s Encrypt service. The EFF also touted major activism and law efforts it has completed in the past year. “We fight to make sure people have access to the speech platforms and privacy tools that help them take control of their world,” said EFF Executive Director Cindy Cohn, adding, “Based in part on our near decade of activism and legal work, Congress also passed the USA Freedom Act, the first real restrictions and oversight imposed on the NSA’s surveillance powers since 1978.” [Full Story]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Acronis Applying Blockchain to Data Protection Problems

Acronis has announced a new strategic initiative to develop applications of Blockchain technology for data protection. The company announced the initiative at its 2016 VIP Partner Summit held in Singapore this week. Acronis is taking a unique and targeted approach at how Blockchain can be used to solve specific data protection problems by seeking and developing use cases that exist today. Data and transactions that are protected from tampering by Blockchain can be used for those use cases where individuals or businesses absolutely must maintain the integrity of the original information. [Source] See also: [IBM Touts Blockchain to National Cyber Security Commission]


WW – Almost Half of Companies Don’t Teach Staff Data Security

44% of companies do not think it should be compulsory for staff to be trained around data security, even though they have formal data protection processes in place. This is despite the security firm finding more than 22% of IT professionals have shared confidential information using an unsecure file sharing platform such as Google Drive, OneDrive or Dropbox, while 10% said they have shared data with people outside the company. Employees are also no strangers to data loss. 13% of the 2,000 IT professionals questioned admitted they have lost data while at work and 5% said they have experienced a data breach. Egnyte also explained that 14% of staff had opened an unsecure link that had been sent to their work email and 12% had used a public Wi-Fi network to work on confidential documents. “File sharing technology is sound from a security perspective… The root cause of mishaps is simply lack of awareness. With conscious effort to educate end users, enterprises can secure their data at little real cost. “Additional measures as simple as creating a checklist of content protection recommendations and making it readily available to employees, or integrating content management best practices into onboarding, can move the needle.” [Source]


US – Privacy Groups, Industry Agree to Best Practices for Drone Use

Stakeholders taking part in the National Telecommunications & Information Administration Multi-Stakeholder process have agreed to a set of best practices for drones. The practices are designed to provide flexibility for drone use, especially for smaller operators, while providing strong privacy standards. Groups agreeing to the practices include Amazon, the Software & Information Industry Association, and the Consumer Technology Association. “These standards will help ensure these technologies are deployed with privacy in mind,” said Future of Privacy Forum CEO Jules Polonetsky,. In a blog post, Center for Democracy & Technology Vice President of Policy Chris Calabrese said, “As the nascent drone industry is starting to take-off, adopting these best practices will help ensure that drones fly safely, ethically and respectfully.” [FPF]

US – CDT, Fitbit Collaborate On Best R&D Privacy Practices for Wearables

The Center for Democracy & Technology joined forces with Fitbit to release a report detailing the best privacy practices for research and development teams working in wearable technologies. Together with Fitbit, the CDT conducted interviews, surveys and other research to assess industry trends and best practices. “R&D teams in wearable technology can and should also be laboratories of privacy and ethical research best practices,” wrote CDT and Fitbit. The paper also offers “practical guidance on privacy-protective and ethical internal research procedures at wearable technology companies,” they add. Other key takeaways include the need for a culture of privacy, security and ethics in R&D, successful management of many different forms of trust with consumers, and the need for policies and procedures for handling ethical questions on R&D teams. [Full Story]

Telecom / TV

US – Tracking Apps Raise Security, Privacy and Legality Questions: GAO

Tracking apps can be useful in a variety of ways, such as, letting consenting spouses know each other’s locations. However, location data from mobile devices can be highly personal …”GAO found that some federal laws apply or potentially apply to smartphone tracking apps, particularly those that surreptitiously intercept communications such as e-mails or texts, but may not apply to some instances involving surreptitiously tracking location. Statutes that may be applicable to surreptitious tracking apps, depending on the circumstances of their sale or use, are statutes related to wiretapping, unfair or deceptive trade practices, computer fraud, and stalking. [Experts the GAO interviewed] also expressed concerns over what they perceived to be limited enforcement of laws related to tracking apps and stalking,” the GAO stated. [Network World]

US Legislation

US – Legislative Roundup

Workplace Privacy

US – FTC Releases FCRA Guidance

The FTC has published new guidance to assist employment background checking agencies with Fair Credit Reporting Act compliance, the agency announced in a statement. The guidance is primarily concerned with showing companies what work would qualify them as a consumer reporting agency and, given that, what their legal obligations may be. [FTC]

US – Social Media Posts Now Fair Game for Security-Clearance Applications

Director of National Intelligence James Clapper released a policy May 13 that confirms federal agencies will begin using public information from social media sites when looking at security clearance applications. Information the government finds irrelevant will be deleted from their servers, the report states. Some lawmakers expressed concern. “How do we flag the serious from the trivia?” asked Rep. Gerry Connolly, D-Va. “How do we make sure we don’t have some enormous depository of government information” that is held? [The Washington Post]

US – Workplace Monitoring Gets Easier Under New Law

“Companies that monitor their employees’ emails or Internet activity now have new protections from potential allegations of wiretap violations: Under the Cybersecurity Act of 2015, companies enjoy liability protection for the monitoring of their information systems for ‘cybersecurity purposes.’” “The act’s inclusion of liability protections for cybersecurity activities to safeguard theconfidentiality of information suggests that monitoring in order to protect trade secrets and intellectual property could receive liability relief in addition to monitoring for general network security.” [Full Story]

CA – Suncor Wins Legal Round for Random Oilsands Drug Testing

A Court of Queen’s Bench judge has quashed a 2014 arbitration panel ruling that determined the proposed testing plan would violate the privacy of union workers represented by Unifor. Justice Blair Nixon said the panel should have considered evidence about alcohol and drug incidents involving all workers at Suncor, including non-union contract employees. “By focusing only on the bargaining unit, the majority (of the panel) expressly excluded consideration of relevant evidence,” Nixon wrote. “The majority ignored evidence pertaining to some two-thirds of the individuals working in the oilsands operation.” [Source]



7-11 May 2016


US – Federal Judge Says Facebook Photo-Tagging Suit Can Continue

A San Francisco federal judge is allowing a case against Facebook’s facial recognition, photo-tagging feature to proceed. Plaintiffs have argued the feature violates users’ privacy, as the facial recognition technology goes against Illinois’ Biometric Information Privacy Act, which requires companies to obtain explicit consent from users before gathering biometric data. While Facebook argued the feature is covered in its terms of service, and that the suit should be dismissed, U.S. District Judge James Donato disagreed. “Trying to cabin this purpose within a specific in-person data collection technique has no support in the words and structure of the statute, and is antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology,” Donato wrote in his ruling. [USA Today] See also: [Facial-recognition tech used for anti-theft initiatives] and [Italy’s Data Protection Authority has mandated that Facebook disclose details of an instance of trolling in a case where the user claims the social network responded unsatisfactorily, International Business Times reports]

EU – EU Proposes Minority Report-Style Facial Recognition for Refugees 

In its attempts to bring the refugee crisis to heel, the European Commission wants to expand its fingerprint database, introduce facial recognition software, store the information for even longer than before and include minors in the process. The EU is planning wholesale changes to the bloc’s asylum law. In addition to a “fairer” distribution system for refugees and an extension of border controls within the Schengen area, the Eurodac fingerprint database, which is currently used to identify asylum seekers and irregular migrants, is to be enlarged. The system is set to be supplemented with facial recognition software and personal data will be stored for a longer period of time, with the aim of ensuring that irregular migrants stay on the authorities’ radar; the information of underage refugees will also be kept. The upgrade will cost some E30 million. [Source]

US – Illinois Anger Over Elementary School Student Thumbprint Scanner

Privacy advocates are concerned about what looks to them like Big Brother overreach in an Illinois elementary school. The Harrison Street Elementary School in Geneva has installed a new thumbprint scanner for students to pay for their meals and keep track of their accounts. The thumb scanners replaced another biometric device by PushCoin Inc. that the school used last year. These types of devices are growing in popularity and other districts are looking to implement the scanners. But not everyone thinks they are a good idea. Parents are able to opt out and use a card if they want to. [Source] [Daily Herald]


CA – OIPC SK Releases Guidance Regarding Access to Personal Information of a Child Under the Age of 18

The Office of the Saskatchewan Information and Privacy Commissioner has released guidance relating to obtaining personal information of a child under the age of 18 years: Included is a list of common questions and responses. Unless otherwise ordered by a Court or a custodial agreement, the Children’s Law Act, FOIP, LA FOIP and HIPA confer the right or power of a legal custodian to request access to personal information of a child under the age of 18; trustees need to exercise discretion when determining if the disclosure is reasonable or will constitute as an invasion of the child’s privacy, such as when the child expresses they don’t want a parent to know or if the information is highly sensitive. [Office of the Saskatchewan Information and Privacy Commissioner – Who Signs for a Child?]


NZ – Privacy Commissioner Survey Finds Privacy a Major Concern

New Zealanders are becoming increasingly worried about their privacy, according to a new survey. In the new UMR public opinion survey, commissioned by the Privacy Commissioner, 46% of the 751 people questioned said they were growing more worried about individual privacy, and their online information in particular. That is especially the case for young people and those with a university education. Privacy Commissioner John Edwards said there was a high level of concern about identity theft as well as financial and health information. About 80% of those surveyed were worried about identity theft and their credit card and banking details being stolen. Nearly all respondents – 87% – were concerned about the personal information children upload to the internet. The survey also found that 62% felt personal data should not be shared between government organisations, as the risk to people’s privacy and security outweighed the benefits. But they were more open to data sharing when safeguards were put in place, with a small majority willing to share data as long as they could opt out if they chose, of if there were strict controls on who could access the data and how it was used. [Source] [Survey]

WW – Snowden’s Surveillance Leaks Made People Less Likely to Read About Surveillance

A new Oxford University study has published empirical evidence showing that government mass surveillance programs like those exposed by Edward Snowden make us significantly less likely to read about surveillance and other national security-related topics online. The study looks at Wikipedia traffic before and after Snowden’s surveillance revelations to offer some new insight into the phenomenon of “chilling effects,” which privacy advocates frequently cite as a damaging consequence of unchecked government surveillance. What it found is that traffic on “privacy-sensitive” articles dropped significantly following what author Jon Penney describes as an “exogenous shock” caused by revelations of the NSA’s mass surveillance programs and the resulting media coverage. The articles were chosen based on keywords from a list of terms flagged by the Department of Homeland Security, used for monitoring social media for terrorism and “suspicious” activity. For example, Wikipedia articles containing the 48 terrorism-related terms the DHS identified—including “al-Qaeda,” “carbomb” and “Taliban”—saw their traffic drop by 20%. The results also mirror a similar MIT study from last year which found that users were less likely to run Google searches containing privacy and national security-related terms that might make them suspicious in the eyes of the government. Perhaps even more alarmingly, the study seems to show a long-term drop in article views on these topics that lasts well past the initial shock of Snowden’s revelations, suggesting that people’s’ calculations about what to read on Wikipedia may have been permanently affected. [Source]


US – Former Officer Is Jailed Months Without Charges, Over Encrypted Drives  

A former police sergeant has been held without charges in a federal detention cell in Philadelphia, part of an effort by the authorities to pressure him to decrypt two computer hard drives believed to contain child pornography. The case reveals yet another battle line for law enforcement and digital privacy advocates over encryption, this time on an Apple computer, not an iPhone. The sergeant, Francis Rawls, was ordered by a federal court last August to hand over the two hard drives, which were seized from his home because they were suspected to contain the illegal pornography. When he refused to decrypt the drives, claiming he could not remember the passwords, he was taken into custody, and this week he started his eighth month in a federal detention center, all without ever being charged with a crime. Mr. Rawls’s case is the latest in a growing number of legal battles over digital privacy in the United States. The challenges are playing out in courts across the country, propelling a national debate over when the government can compel individuals or companies to disclose codes or passwords giving access to private data. “Not only is he presently being held without charges, but he has never in his life been charged with a crime,” Keith M. Donoghue, his federal public defender, wrote in a motion last week seeking his client’s release. [Source]

EU Developments

EU – GDPR, Directive 2016/680, PNR Officially Published

It’s finally final for three separate pieces of privacy legislation in the EU. On 4 May, the Official Journal of the European Union published the texts of the General Data Protection Regulation, officially Regulation 2016/679; Directive 2016/680, governing the handling of data in law enforcement situations; and the Passenger Name Record Directive, officially Directive 2016/681. This creates something of a countdown clock for privacy professionals. As the GDPR goes into effect two years and 20 days following its publishing in the Official Journal, 25 May 2018, takes on new portent. [Lex-Europea] See also: [The European Parliament is struggling to set a date for a plenary vote on the EU-U.S. Privacy Shield] [The US Supreme Court has updated Rule 41, allowing federal judges to issue warrants for computers outside of their jurisdiction, potentially threatening the EU-U.S. Privacy Shield.]

UK – Employers Vicariously Liable for Data Breaches Caused by Rogue Employees

In April 2016, the High Court of England and Wales issued its judgment in Axon v Ministry of Defence [2016] EWHC 787 (QB). The court emphasised (albeit obiter) the fact that employers can be liable for data breaches caused by rogue employees (in the present case, an employee who had passed on certain information to journalists without the permission of her employer). The impact of this decision on employers is potentially significant, and it serves as another reminder to employers to implement proper data protection processes and procedures, and to ensure that employees receive appropriate training on these issues. [Source] [PDF]

EU – CJEU to Rule on Test Data Case

The Supreme Court of Ireland has referred to the Court of Justice of the European Union to decide whether a man’s accounting exam is considered personal data under the Data Protection Act. After being denied access to his test by both his school and the Data Protection Commissioner, plaintiff Peter Nowak argued in the Circuit Court and then appealed to the High Court that his handwritten test qualified as biometric, and therefore personal data, the report states. He further argued that as exam results are “considered personal,” the test and exam comments ought to be too. [Independent]

Facts & Stats

WW – UNCTAD Publishes Report on Data Flows, International Trade

Late last month, the United Nations Conference on Trade and Development released a new study on privacy law, trans-border data flow and their implications on international trade and development. The in-depth and substantive report also places a focus on developing nations. “The study reviews the current landscape and analyzes possible options for making data protection policies internationally more compatible,” the report states. Contributors to the report include international organizations, government bodies, the private sector and civil society. “The findings of the study should help to inform the much needed multi-stakeholder dialogue on how to enhance international compatibility in the protection of data and privacy,” the report adds. [UNCTAD]


CA – BC Makes Changes to Freedom of Information Law

B.C. cabinet’s travel receipts, calendars to automatically be made public: Finance Minister Mike de Jong has issued a rare order under B.C.’s Freedom of Information law to ensure that travel receipts and daily calendars for cabinet ministers and their senior officials are automatically made public. The change was part of a series of directives issued by Mr. de Jong to respond to criticism that his government has deliberately thwarted the release of information to the public through the practice of triple-deleting e-mails within government and relying on oral reports to avoid the creation of documents that could be accessed. Vincent Gogolek, executive director of the BC FIPA, said Mr. de Jong’s changes are both minimal and long overdue. “They are not doing nothing, but they are doing the least possible,” Mr. Gogolek predicted one of Mr. de Jong’s new initiatives will be counterproductive. Starting this month, the government will publish all active access-to-information (FOI) requests, a measure that Mr. de Jong said will provide more transparency on government response times. However, Mr. Gogelek said the change could discourage access requests. “This is exposing FOI requesters. The privacy commissioner has asked for anonymity for those making information requests, and this seems to be going in the opposite direction.” [Source]

CA – B.C. Privacy Commissioner Mainly Positive Toward New FOI Policies

British Columbia’s Information and Privacy Commissioner is praising the province’s expansion of its Access-to-Information policies, but she’s also concerned about the potential “unintended consequences” of a decision to post information requests as they are received. Elizabeth Denham issued a statement on Tuesday that offered a largely positive assessment of the changes, which were announced a day earlier, but singled out the disclosure of Freedom-of-Information (FOI) requests as a potential concern. “I wish to examine all possible implications, including any unintended consequences, of publicly disclosing a description of an applicant’s request for records before they have received those records,” Ms. Denham said in her statement. [Source]

CA – OIPC BC Finds Ministry Properly Withheld Information Relating to Tolling Framework

The OIPC BC reconsidered Order F14-20, pursuant to a court order, where the Ministry of Transportation and Infrastructure refused to disclose information requested under the Freedom of Information and Protection of Privacy Act. Disclosure of the information would reveal the substance of the Ministry’s deliberations because it contained financial implications of the framework, and a presentation that formed the basis of the Priorities and Planning Committee’s deliberations; although the decision to impose a toll was made public and implemented, the information should not be disclosed because it related directly to the issues the Committee considered. OIPC BC – Order F16-22 – Ministry of Transportation and Infrastructure [Re-consideration Order – F16-22] [Original Order – F14-20]

US – ODNI Releases Documents as Part of FOIA Pilot Program

The US Office of the Director of National Intelligence released several documents as part of a pilot program with the Freedom of Information Act. The ODNI is one of seven federal agencies contributing to the program, with the goal of making FOIA record requests available to the public. During the program, the ODNI will announce the release of “proactive disclosures.” Among the first group of documents released include, “Unlocking the Secrets: How to Use the Intelligence Community“ and “Semiannual Report to the Director of National Intelligence – Office of the Inspector General of the Intelligence Community.” [Full Story]


CA – Looking for an ‘Internet of DNA’

The Star reports on calls by some researchers to create an “Internet of DNA” to help treat rare genetic diseases and psychological disorders. “If we’re looking to 2025, I see a kind of World Wide Web for health, a true Internet for health, which doesn’t exist today,” said Dr. Tom Hudson, a genomics researcher and president of the Ontario Institute for Cancer Research. “We are transforming a lot of information into digital bits and that information is huge,” he added. Such a DNA network could transform medicine and how diseases are cured, researchers argue. Currently, valuable medical data is contained in silos, “while legal, technical and cultural barriers prevent scientists from easily sharing their data troves,” the report states. “If nothing is done, there is a risk that balkanized systems will soon become established,” the Global Alliance’s website points out. [Full Story]

Health / Medical

CA – Northern Canadian Hospital Confirms Staff Wrongly Accessed Patient Records

Security experts emphasize that organizations have to limit access to databases with sensitive information. However, they also have to carefully design information systems themselves so sensitive data doesn’t appear on screens users have legitimate reasons to see. That appears to have failed at a health authority in Canada’s far north, which confirmed that employees inappropriately accessed patient health records through an online scheduling system in what appears to be a case of employee snooping. CBC News reported that some staff the Beaufort-Delta Health and Social Services Authority, which serves 6,700 residents of the Beaufort Delta Region in the Northwest Territories including the Inuvik Regional Hospital have been disciplined for wrongly accessing records of  67 patients. The information “had been inappropriately accessed by staff outside a legitimate scope of duties,” Arlene Jorgensen, CEO of the Inuvik Health Authority, was quoted as saying. The institution’s scheduling system includes expected information such as appointment times and check-out dates. But it also lists the reason patients were at the hospital. Several staff members who had accessed this information did not need it to do their jobs, according to the health authority. The authority emphasized that detailed information, such as diagnoses were not accessed during the breach. [Source]

CA – Ontario Appeals Board Finds Regulatory Committee Failed to Adequately Investigate Complaint Alleging Physician Inappropriately Accessed Patient Files

The Board reviewed the decision of the Inquiries, Complaints and Reports Committee of the College of Physicians and Surgeons regarding a complaint made against a physician. The regulatory committee failed to properly examine whether the access took place after the physician left a clinic, may have improperly concluded that the access was due to the nature of the filing system (computer logs may support a different conclusion), and failed to consider that the alleged breach is a serious matter under PHIPA; mandatory further investigation should include direct questioning of the physician, examining how the electronic filing system operates, and determining what system access is allowed a non-treating professional. [F.J.S., MD v. S.S.E., MD – 2016 CanLII (ON HPHARB) – Health Professions Appeal and Review Board]

CA – Ontario Appeal Board Upholds Verbal Caution to Pharmacist Regarding Confidentiality

the Health Professions Appeal and Review Board reviewed an investigation of the Inquiries, Complaints and Reports Committee of the Ontario College of Pharmacists, into a pharmacist’s solicitation of new business. The pharmacist obtained patient information from his previous employer and used it to establish clientele for his new business; the Committee found that this active solicitation of business was inappropriate, and warned the pharmacist that he must maintain patient confidentiality, not use patient information for improper purposes, demonstrate professionalism and ethical principles, and respect patients’ right of self-determination. [J.J. v G.C., 2016 CanLII 21553 (ON HPARB) – File#15-CRV-0181]

US – OCR Cautions Hospitals to Prepare for Breaches at Business Associates

With many healthcare organizations questioning their data security arrangements with business partners, the Office of Civil Rights (OCR) of the Department of Health and Human Services, sent out an alert suggesting steps to mitigate damage from breaches resulting from those associations. The alert OCR sent last week said that following the 2015 hack of U.S. Office of Personnel Management (OPM), many healthcare organizations believe the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have not stopped breaches and have not allayed their fears. “Not only do a large percentage of HIPAA covered entities believe they will not be notified of security breaches or cyberattacks by their HIPAA business associates, they also think it is difficult to manage security incidents involving business associates, and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach,” the alert said. As a result, HIPAA-covered organizations and their HIPAA business associates should consider how they will confront a breach at their business associates or subcontractors. [Source] See also: [Ontario’s legislature has passed the Health Information Protection Act in its third reading. The act aims to improve privacy, accountability and transparency in health care, according to a news release]

US – Brookings Calls Out OCR on HIPAA Audits, Offers Security Tips for Healthcare Organizations  

With the healthcare industry suddenly accounting for nearly 25% of all data breaches, a new study from The Brookings Institution suggests some new cybersecurity strategies are needed. Niam Yaraghi, a Brookings fellow, conducted in-depth interviews with 22 healthcare organizations – providers, payers and business associates – that had each experienced at least one  data breach. He found some things in common across them, and some differences. But his biggest takeaway was that guidance and enforcement from the federal government isn’t doing enough to keep patient data safe, and that a more concerted private-sector strategy is needed to help ensure security best practices. In his report, “Hackers, phishers, and disappearing thumb drives: Lessons learned from major healthcare data breaches,” Yaraghi offered a series of suggestions for both the HHS Office of Civil Rights and those working in the healthcare trenches. [Source] See also: [Status report: OCR’s effort to guide HIPAA compliance in mobile health] [Earlier HIPAA Audits Help Healthcare Data Breach Prevention]

Horror Stories

CA – Two Convicted of Snooping on Rob Ford

An Ontario court has convicted two health care workers for unauthorized access to the late mayor Rob Ford’s medical records, the first such conviction under the province’s health privacy law. Both workers pleaded guilty under PHIPA to “willfully collecting, using or disclosing personal health information,” the report states. The former employees have also each been fined $2,505 for the incident. There is no evidence the workers shared the health records they accessed. [The Star] SEE ALSO College of Nurses of Ontario disciplines nurse who snooped into patient records. Mandy Gayle Edgerton – Results of Past Hearings – College of Nurses of Ontario Results of Past Hearings | Toronto Star ]

UK – London HIV Clinic Fined £180,000 for ‘Serious’ Data Breach

A London HIV clinic that leaked data on 781 of its patients has been fined £180,000. 56 Dean Street, based in London’s Soho, sent an email newsletter with all patient email addresses in the ‘To’ field, rather than the ‘Bcc’ field. The email addresses allowed for the identification of the patients – 730 of the 781 contained people’s full names – and constituted a “serious breach” of data protection rules, the Information Commissioner’s Office (ICO) said. The Option E newsletter was intended for people using the clinic’s sexual health services and gave general details for treatment and support. The ICO said the breach was “likely to have caused substantial distress” to those who were included on the list. Under data protection rules, information about a person’s health or sexual life is deemed as sensitive and the organisation issued the monetary penalty after an investigation. “It is clear that this breach caused a great deal of upset to the people affected,” Information Commissioner Chris Graham said in a statement. “We recalled/deleted the email as soon as we realised what happened. If it is still in your inbox please The NHS Trust can appeal the decision but if it decides to pay the fine before June 2 it will be reduced to £144,000. Medical director and caldicott guardian Zoe Penn, from the clinic, said that it “fully accept[s]” the decision of the ICO and that the organisation had made changes to its procedures. [Source]

Internet / WWW

WW – Twitter Bans US Spying Agencies from Terrorism Early Alert Service

In the growing fury over terrorism, surveillance and privacy, Twitter has shoved the US government further away by closing down US spy agencies’ access to a data-mining service that spots terror attacks. The company hadn’t announced the news as of Monday morning. Rather, a senior official in the intelligence community, along with others privy to the matter, told the Wall Street Journal about it. The service in question is Dataminr: a real-time information discovery service that analyzes the output of Twitter’s firehose of real-time public tweets, geolocation data, traffic data, news wires and other data streams, to turn up breaking news such as natural disasters, political unrest and terror attacks. [Source]

Law Enforcement

US – Digital Rights Group Challenges Legality of ‘Thematic Warrants’

Privacy International has filed a judicial review challenging a decision regarding the sanctioned use of “thematic warrants.” The digital rights group sent the review to the U.K. High Court, appealing an earlier decision by an oversight tribunal of the security agencies in the U.K. over the use of the warrants. Privacy International is arguing the legality of the “thematic warrants” — orders giving the government major invasive investigatory powers covering wide classes of people and property. The group first challenged the use of the warrants in 2014, saying they violate Articles 8 and 10 of the European Convention on Human Rights. In related news, the Guardian reports on another privacy advocacy group using an interesting face to don on their campaign against the Investigatory Powers Bill: North Korean leader Kim Jong-un. [TechCrunch]

US – New Hampshire State Claims that Secret Recording of Police Is a Crime

New Hampshire outlaws recording conversations when any party to the conversation “has a reasonable expectation that the communication is not subject to interception, under circumstances justifying such expectation,” thus requiring the knowledge of all parties before such a conversation can be recorded. Most states require only “one-party consent,” under which you can record a conversation to which you are a party, because you consent to the recording, even if the others don’t. But some states — including New Hampshire — require “all-party consent,” or at least all-party knowledge, that the conversation is being recorded. And New Hampshire authorities read this as applying even when someone is recording his conversation with the police. Indeed, Alfredo Valentin is under indictment for recording such a conversation, between himself and the police officers who were searching his home. The U.S. Court of Appeals for the 1st Circuit, which is in charge of cases from New Hampshire, has held (Glik v. Cunniffe) that a similar Massachusetts law violates the First Amendment; but that case involved someone openly recording the police, and the court stressed that fact in the Fourth Amendment portion of the Glik opinion. New Hampshire authorities appear to take the view that secret recording of the police can be banned, even if open recording cannot be. [Source] See also: [New Jersey Governor Chris Christie has approved a bill making it illegal to surreptitiously record or photograph a person’s undergarments.]

Privacy (US)

US – FTC and FCC Join Forces to Examine Mobile Security

The FTC and the FCC are working together to examine the current state of mobile security. The FTC is issuing orders to eight mobile device manufacturers, requiring them to give the agency information on their procedures for issuing security updates to remedy device vulnerabilities. Among the companies receiving orders include Apple, Google, Microsoft and Samsung. The eight companies must provide details such as “the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device” and “detailed data on the specific mobile devices they have offered for sale to consumers since August 2013.” The FCC issued a press release announcing their cooperation with the FTC, and how they will send letters to mobile companies on how they evaluate and deliver security updates. [FTC] See also: [The Senate Judiciary Committee’s subcommittee on Privacy, Technology and the Law will host a May 11 hearing on the Federal Communications Commission’s proposed privacy rules] and [The New Privacy Cop Patrolling the Internet And it’s armed with new data-privacy rules]

US – Neopets, Global Email Addresses Among this Week’s Biggest Breaches

A dataset from JumpStart’s online game Neopets was posted online, with Motherboard reporting that the number of customers affected allegedly numbered more than 70 million. The information compromised varied from customer to customer, but no credit card or home addresses were breached, said JumpStart’s Jim Czulewicz. While the dataset appeared to be dated before JumpStart acquired Neopets in 2014, the company planned to alert customers regardless. reports that out of the recent global breach of more than 272.3 million email accounts, an estimated 42,000 accounts are Irish. [NextGov]

US – Lyft, Uber Among EFF Data-Sharing Report Top Scorers

The Electronic Frontier Foundation awarded Uber and Lyft with perfect scores on the group’s sharing economy data protection study. When grading organizations, the EFF considered whether they published transparency reports and if companies required government agencies to provide a warrant before they shared user data, the report states. “Consumers should be able to understand their privacy rights by reading the policies of the companies that hold their data,” EFF’s study states. [Fortune]

WW – Bark Helps Parents Keep Kids Safe Online Without Invading Their Privacy

Launching today at TechCrunch Disrupt NY 2016 is a new service called Bark, aimed at parents who want to keep their kids safe online. Unlike traditional “parental control” software or net nanny-type watchdog applications, Bark’s goal is to strike the correct balance between respecting a child’s right to privacy and protecting them from online predators and cyberbullying, while also looking out for issues like sexting or mental health concerns. To use the service, parents sign up online at the Bark website, add their kids, then work with the children to connect their social accounts. Once set up and configured, Bark uses machine learning techniques to look for incidents of dangerous activity, whether that’s cyberbullying, sexting, a child interacting with an older stranger who could be grooming them (as online predators do) or even signals that the child could be experiencing a mental health concern like depression or suicidal thoughts. When Bark finds something questionable, it sends an alert to the parent that not only contains the relevant conversation, when and where it took place, but also recommended ways of handling the issue appropriately. Bark competes with a handful of other solutions, including VISR, more traditional software programs and cyberbullying-specific solutions like ReThink or STOPit. [Source]


WW – Stop Resetting Your Passwords, Says UK Govt’s Spy Network

The UK government has, on World Password Day, repeated its advice against the common security practice of routinely changing passwords. “In 2015, we explicitly advised against [the practice],” a post by GCHQ’s Communications-Electronics Security Group (CESG) notes. “This article explains why we made this unexpected recommendation, and why we think it’s the right way forward.” As tech advice goes, this is one that people will actually want to hear, and the CESG has put out a 16-page document called “Simplifying Your Approach” that explains what you should do to get your information secure without driving your users crazy. Those in favor of automatically and regularly resetting passwords believe it makes historical password information useless; it forces users to periodically think about security; it increases the likelihood that people will use a password they do not use for other services; and it creates more of a moving target for potential hackers. “The problem is that this doesn’t take into account the inconvenience to users – the ‘usability costs’ – of forcing users to frequently change their passwords. The majority of password policies force us to use passwords that we find hard to remember.” The problem is our rubbish brains: “While we can manage this for a handful of passwords, we can’t do this for the dozens of passwords we now use in our online lives.” The result, according to CESG, is that we are more likely to write our password down. Or forget the password altogether, forcing service desks to reset them, chewing up time and resources. As a result, CESG “now recommend organisations do not force regular password expiry.” Instead, it says, companies should introduce system monitoring tools such as showing a user the last time they logged in to flag if someone else is using their account. [Source] See also: [Don’t do it! 5 ways to upgrade your passwords this PasswordDay]

WW – Security Defenses Improving at Many Firms, Study Reveals 

Many organizations have made significant improvements in IT security preparedness and effectiveness, taking steps to improve their security posture, according to new research from SolarWinds, a provider of IT management software. The company’s survey of IT professionals in North America showed that more than half (55%) said their organizations did not experience any security breaches in 2015. About 30% said they had experienced a breach. Half of the respondents said their organizations were less vulnerable than they were a year ago, compared with 12% who said they are more vulnerable. “The most surprising finding of the survey is just how many organizations are less vulnerable today than they were a year ago, and, on a related note, how many have implemented security technologies and better security training,” said SolarWinds. [2016 IT Security Survey, North America] [Source] See also: [Microsoft has published the 20th edition of its Security Intelligence Report covering the period July 2015 to December 2015]


US – Justice Department Building Wearable Camera Catalog for Police

The Justice Department is crafting a catalog to assist police departments buying wearable cameras, including information on the devices’ privacy capabilities. Fears surrounding hackers infiltrating body cameras will be addressed in the catalog, with data protection and privacy controls among the characteristics listed in the guide. Each device will have five areas of information to properly inform departments of what they are purchasing, covering vendor, camera, video storage software, ease of use, and installation. Included within those five categories are details on facial recognition, “privacy masking” to blur out certain images and protect personal privacy, and encryption features to protect data from cyberattacks. Sheila Jerusalem, a spokeswoman for the Justice Department’s National Institute of Justice, said the organization wants the guide available by December 2016. [Nextgov]

US Legislation

US – California Bill Would Dictate What Happens to Digital Footprint Post-Death

A new California bill could set a national precedent for the handling of an individual’s digital footprint after they pass away, Fusion reports. The Revised Uniform Fiduciary Access to Digital Assets Act would create rules for how companies can share a deceased person’s digital records. The rules first defer to the late party’s directions for how those records would be handled, then look toward a will. If no instructions have been left, all decisions will be made by the site’s terms of service. Despite revisions being made to the bill, privacy advocates are still concerned. “Is it possible that they might make mistakes both by releasing too much information or releasing it to the wrong person?” said Kevin Baker, legislative director for the ACLU of Northern California. “We think the history of the treatment of digital records shows that there likely will be mistakes.” [Full Story]



26 April – 05 May 2015


US – FBI Seeks Privacy Act Exemptions for Its Biometric Database

Seeking to avoid compromising law enforcement investigations, the FBI wants to prevent individuals from discovering if their information is contained within the agency’s biometric database. The Justice Department will propose the FBI’s “Next Generation Identification System“ be withheld from provisions of the Privacy Act. The NGIS gathers information on individuals, including palm prints, fingerprints, iris scans and facial photographs. The FBI fears that letting individuals know if their information is within the database could affect law enforcement investigations by undermining “national security efforts,” or possibly revealing a “sensitive investigative technique.” The Electronic Privacy Information Center’s Jeramie Scott said, “If you have no ability to access the record the FBI has on you, even when you’re not part of an investigation … and lo and behold inaccurate information forms ‘a pattern of activity’ that then subjects you to [be] the focus of the FBI, then that’s a problem.” [Nextgov]

RU – Facial Recognition App An ‘Unmitigated Privacy Disaster’

FindFace, a facial recognition app, has caused a stir within Russia, and its creators are working to halt malicious use. While the app has been used to take pictures of subway riders and locate them on Vkontakte, Russia’s version of Facebook, others have used it for more nefarious purposes, including outing Russian porn stars. Maxim Perlin, the founder of FindFace, said the company is “making every effort to protect all Vkontakte users from potential malicious acts,” but it’s difficult to stop the bad behavior. FindFace’s power comes from NTechLab, the company developing the facial recognition technology used by the app. NTechLab won the University of Washington’s face recognition challenge, beating out Google’s FaceNet program, by identifying 73% of individuals in a set of 500,000 images. [Fusion] [Facial Recognition Used to Strip Sex Workers of Anonymity]

US – Lunchroom Print Scanners Problematic?

Biometric company PushCoin and its lunch line fingerprint scanners have proponents lauding their convenience, but civil libertarians warn their growing preeminence may adversely dilute privacy attitudes. “I think it undermines the notion of really thinking about the importance of your biometrics as a matter of privacy,” said an ACLU spokesman. “I think in this age, when so much is available and so much is accessible online about us and there is all of this information that floats out there, to begin to include in this one’s biometrics, it really does raise some legitimate concerns.” [Daily Herald]


CA – Privacy Important to Business but Many Lack Privacy Basics: OPC Survey

While it is encouraging that businesses are increasingly using more tools to protect personal information, according to a recent survey, there is still room for improvement when it comes to meeting privacy obligations and preparing for soon to be in force mandatory breach requirements. These were among the findings revealed in the Office of the Privacy Commissioner’s (OPC) biannual telephone survey of 1,016 Canadian businesses. The survey seeks to examine the privacy awareness and practices of Canadian businesses. The findings come ahead of the coming into force of mandatory data breach obligations under federal privacy law. The survey showed some positive developments in certain areas. For example, 41% are “concerned” about suffering a potential data breach (up from 31% in 2013). The OPC was also encouraged to see that an increasing percentage (83%, up from 78 % in 2013) said their business uses technological tools, such as passwords, firewalls and encryption to protect customer personal information. The survey, however, revealed limited movement in other areas. For example, only 41% (up slightly from 37% in 2013) have policies and procedures in place to deal with a breach. In addition, less than half said they have privacy policies to inform customers about the personal information they collect and how it is used. The complete survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, can be found on our website at [Source]

CA – Canadian Spy Agency CSE Won’t Reveal Number of Privacy Breaches

The Communications Security Establishment is refusing to release the number of privacy breaches the agency has logged since 2007. Documents obtained by the Star state the intelligence and cyber defence agency has maintained a central database for certain privacy violations since 2007. These breaches are categorized as minor “procedural errors” or more serious “privacy incidents,” and reviewed by the CSE Commissioner’s office every year. The Star requested just the number of breaches — no details about what actually transpired or the Canadian personal information involved — but was told the agency could not comply due to “operational security concerns.” “Releasing the number of (breaches) would provide insight into CSE’s capacity to conduct operations, the extent of its capabilities, the degree to which partner organizations benefit from sharing and the reach of the programs,” wrote spokesperson Ryan Foreman in an email last week. Documents tabled in Parliament last month show CSE logged 13 privacy and information breaches in 2015, affecting at least 630 individuals. The agency did not report any of the privacy breaches to the federal privacy commissioner, as CSE determined that there was “no significant risk” to the individuals involved. CSE further refused to report the activities that led to the breaches. The Star reported Sunday that the agency has been in a year-long debate with the Privacy Commissioner Daniel Therrien’s office over how much information CSE is required to report about privacy breaches. A government-wide regulation requires all serious breaches to be reported to the privacy watchdog, but a “discussion” about how best to do that has been dragging on since at least January 2015. On Monday, NDP foreign affairs critic Hélène Laverdière asked Defence Minister Harjit Sajjan to explain why CSE is resisting turning information over to Therrien’s office. “CSE has proactively worked with the commissioner on all aspects, and they do have a good working relationship,” said Sajjan, who is responsible for the intelligence agency. “CSE abides by Canadian law, including the Privacy Act.” [Star]

CA – OPC Funds Ten New Privacy Studies

This week, Canada’s Office of the Privacy Commissioner announced the research projects receiving funding in 2016-2017 under the annual OPC Contributions Program. They are:

  • Decision-Making and Privacy: How Youth Make Choices About Reputational and Data Privacy Online
  • Big Data Ethics Initiative: Assessment for Canadian Organizations
  • Understanding, Discovering and Asserting Personal Privacy Preferences: A Feasibility Study
  • E-Learning Courses on Anonymizing Data
  • Effects of Informal Online Regulatory Regimes on Privacy
  • The Peer Privacy Protectors Project: Innovative Youth-Led Privacy Education
  • Between Memory and Forgetting: Consumers and Digital Death
  • Cloud Atlas: A Citizen’s Guide to Online Privacy and Surveillance Using IXmaps
  • “Protect your Privacy—Online!” Educational Program
  • Left to their own Devices: Privacy Implications of Wearable Technology in Canadian Workplaces [Source]

CA – Children’s Aid Class Action Seeks $25 Million Damages from Hacking

A lawsuit is filed in Ontario court by an individual against county service organizations, a government minister, and others, alleging damages caused by a data breach. The PI of 285 clients was hacked and then posted on a social media site; causes of action include negligence, breach of fiduciary duty and confidence, negligent misrepresentation and intrusion upon seclusion (e.g. a failure to use adequate firewalls, encryption, and up-to-date security protocols and heed warnings about inadequate system security), a breach of Ontario’s FOI legislation (security was not appropriate to the sensitivity of the PI), and a breach of the Charter of Rights and Freedoms (operational negligence). [M.M. v. Family and Children’s Services of Lanark et al. – Statement of Claim – Ontario Superior Court of Justice] [Class action filed after privacy breach at one Ontario children’s aid office]

CA – Canada Considering Spying on Kids to Stop Cyberbullying

The Canadian government is looking for a person or organization to “conduct an evaluation of an innovative cyberbullying prevention or intervention initiative” in a “sample of school-aged children and youth,” according to a tender notice published by Public Safety Canada last week. Although nothing has been finalized, the government will consider letting the organization spy on kids’ digital communications to do it, Barry McKenna, the Public Safety procurement consultant in charge of the tender, said.  “The tender doesn’t preclude or necessarily require digital monitoring,” said McKenna. “But there are certainly products on the market that do that, and I would guess that that kind of intervention would be one of interest.” The school board overseeing the school used in the study would have to sign off on digital surveillance of kids, McKenna said, and so would Public Safety. McKenna would not disclose whether any person or organization has responded to the tender yet. The government has budgeted $60,000 for the program, the notice states. [Source]

CA – Rise of Private Surveillance Cameras Point to Legal Limbo

As more homeowners spread the reach of “Little Brother” by installing security cameras on their property, chances are images of their neighbours’ properties or the neighbours themselves could end up being recorded without their knowledge. And while provincial and federal privacy laws are designed to protect citizens from snooping by governments and businesses, they don’t apply to cameras on individuals’ private property. The Office of the Information and Privacy Commissioner for B.C. doesn’t have jurisdiction over homeowners who use security cameras or collect data for personal use, spokeswoman Michelle Mitchell said. But private citizens are using the camera or the data for commercial purposes would be subject to the provincial Personal Information Protection Act — “for example, if a homeowner who is also landlord has a CCTV camera that happens to capture images of a tenant,” Mitchell said. “It is not the type of device (i.e., CCTV system), or its location, but why the information is being collected, and what it is being used for, that determines whether our office has jurisdiction,” said Mitchell. [Source]


UK – Study Reveals Post-Snowden Surveillance Chilling Effect

A new study from Oxford University reveals empirical evidence that knowledge of government mass surveillance programs make the public less likely to read articles about surveillance and other related topics online. The study analyzed Wikipedia traffic before and after the June 2013 Snowden revelations and found evidence of “chilling effects.” Traffic on “privacy-sensitive” articles went down after the “exogenous shock” from the initial Snowden coverage. The articles chosen in the study were based on keywords that are flagged by the Department of Homeland Security for “suspicious” activity. “It means that the NSA/PRISM surveillance revelations … are associated in the findings not only with a sudden chilling effect, but also a longer term, possibly even permanent, decrease in Web traffic to the Wikipedia pages studied,” said the study’s author, Jon Penney. [Full Story]


US – Federal Government Accepted All 2015 Surveillance Requests

An as-of-yet unreleased Justice Department report disclosed that the Foreign Intelligence Surveillance Court received 1,457 communication surveillance warrants from federal law enforcement in 2015, approving all “entirely or in part.” While most of the requests were focused on foreigners’ data, one in five of the warrants were concerned with Americans, the report states. Meanwhile, Facebook indicated that 60 percent of its government-initiated data requests from 2015 prohibited the company from alerting their users, according to U.S. News & World Report. However, “Facebook does not provide any government with ‘back doors’ or direct access to people’s data,” said Facebook Deputy General Counsel Chris Sonderby. “If a request appears to be deficient or overly broad, we push back hard and will fight in court, if necessary.” [ZDNet]

Electronic Records

AU – My Health Record System A ‘Privacy Disaster Waiting to Happen’: APF

The Australian Privacy Foundation has major problems with the federal government’s My Health Record system, saying it’s a “privacy disaster waiting to happen.” The APF says the biggest problem with My Health Record is the amount of access its Medicare Call Centre’s employees have to the system’s data. While the government said it would provide a “clear and robust framework” for the call center in 2011, the APF said not enough has been done in the past five years. “This total failure to deliver on its promise and put in place much needed protections exposes patients to curious call centre operators whose prying and spying are unlikely to be detected,” said Dr. Bernard Robertson-Dunn, chair of the health committee at the APF. [Delimiter]

CA – Insurance Industry Needs to Keep Pace With Data Security

The Canadian life and health insurance industry is making good strides in moving ahead with electronic data exchange, but now needs to ensure that it is keeping pace with ongoing compliance and cyber security issues, a conference was told. Tana Sabatino, implementation services specialist at the Canadian Life Insurance EDI Standards (CLIEDIS), told the organization’s annual seminar in Toronto that its top goal for this year is to concentrate on getting reliable feeds from the advisor to the distributor and over to the carrier. CLIEDIS is the industry association that promotes using electronic data among key members of the life insurance industry, including advisors, managing general agencies (MGAs) and life insurance carriers. Part of that agenda calls for CLIEDIS to ensure data security among members by streamlining the amount of feeds a distributor needs to connect with carriers. Sabatino said there can’t be a situation in which every carrier has a different data stream agreement that each imposes on MGAs. “HUB [for example] isn’t going to implement 15 different security sets of requirements. They’re going to have one, because they have one set of systems.” [Source]


US – Man Jailed for Seven Months (and Counting) for Failure to Decrypt

An unidentified Pennsylvania man has been held in jail for seven months because he has refused to decrypt hard drives that authorities believe contain illicit images. He has not been charged, but is being held in custody because he was found to be in contempt of court for his refusal. The Electronic Frontier Foundation (EFF) has filed an amicus brief on the defendant’s behalf. [Ars Technica] [Electronic Frontier Foundation Amicus Brief] [Ars Technica]

EU Developments

UK – Government Refuses to Give SC Commish Powers He Didn’t Request

The government has refused to give the Surveillance Camera Commissioner (SCC) extra enforcement powers. The problem is that the SCC hadn’t asked for any more powers. In a very brief letter to SCC Tony Porter, the incumbent commissioner, junior Home Office minister Mike Penning said the government was “not yet convinced that granting your office enforcement and sanction powers would improve compliance.” Penning’s remarkably curt letter also informed Porter that he, Penning, would not be available to meet to discuss the SCC’s annual review of CCTV surveillance, which was published earlier this year. He also noted that the Protection of Freedoms Act 2012, which established the commissioner’s office, is “due for post-legislative scrutiny in 2017.” As we previously reported, speaking at an event hosted by the National Security Inspectorate, a non-governmental certification body on 10 March last year, Porter acknowledged that “one thing that has been levelled at the code and my role is that it lacks teeth. This is a fair comment I think. I don’t have any powers of sanction or inspection. So if a relevant authority is not paying due regard to the code of practice there is not much I can do.” Despite this criticism, in another letter to the minister Porter noted that Penning’s response was “confusing” as he “did not request any powers of enforcement or sanction in the Review.” Porter’s 20-page Review of the impact and operation of the Surveillance Camera Code of Practice was published in February. Penning’s brief letter did not respond to several of the issues raised in Porter’s review. The SCC stated that he was “disappointed that apart from recommendation three, there was no comment on any of the other recommendations.” [The Register]

EU – Commission’s Issues New Action Plan for Privacy Standards

On 19 April 2016 the European Commission published its Communication ‘ICT Standardisation Priorities for the Digital Single Market’. The Communication was part of the wider ‘Digitising European Industry’ announcement on 19 April – read our blog here for full details of what was announced. The ICT Priorities Communication thrusts into the limelight an obscure but vitally important area of policy: the setting of common technical specifications for ICT products and services, particularly those related to the ability of different devices to communicate with each other. According to the Communication, common standards that ensure interoperability between digital technologies are the foundation of an effective Digital Single Market. The Communication identifies numerous challenges faced by the current legal framework through which technical standard setting at a European level takes place. The Commission’s solution to these challenges is the adoption of a priority action plan set out in the Communication that comprises i) the identification of five priority ‘building block’ areas of the ICT sector in relation to which standardisation efforts are to be focused (5G, IoT, Cybersecurity, Cloud and Big Data); and ii) a high level political process to validate, monitor and, where necessary, adapt the list of priority areas. [Hogan Lovells]

EU – Other EU News


CA – Compromised Bank Cards Lead to Few Answers From Banks

The president of the Consumers’ Association of Canada is calling on banks to become more transparent and release information about what he feels is an increase in the number of compromised bank cards.

“We’ve seen an escalation in the last 12 months of compromised bank accounts, credit cards, debit cards and PINs,” Bruce Cran said. His organization has received “hundreds” of complaints, not only about initial compromises, but repeated compromises on the same account. He said some accounts were compromised as many as four times last year. “The mere volume of what’s happening at the moment indicates to us that there’s a bigger problem here,” he said. “In terms of privacy breaches involving banking institutions, it’s unusual that you would have a number of banks all at the same time formally notifying customers by mail of their card being compromised,” he said. “This is very unusual.” Charney said privacy is not a reason to withhold information from customers. “What it sounds like to me is some kind of excuse in the short term for the banks to continue to investigate and respond to this data breach before they have to publicly announce it,” Charney said. [CBC]


CA – Saskatchewan Charging Media $180K to Access Land Deal Documents

Attempts by media to obtain documents relating to the controversial Global Transportation Hub (GTH) land deal isn’t coming cheap; the province says it’s going to cost $180,000. A total of 29 Freedom of Information (FOI) requests were filed by the CBC. Fifteen were sent to the GTH and 14 to the Ministry of Highways. According to the province’s estimates the requests could total approximately 9,500 pages.

“In the electronic age it means going back to back-up tapes to get some things. Also, government’s older records are stored off site and we have to get those things in,” Deputy Minister of Justice Kevin Fenwick explained. However, the opposition NDP decried the government’s excuses and is calling it a clear cover-up. “We are talking about a fiasco that ultimately saw a Crown corporation pay alleged Sask. Party insiders three times the estimated value of land close to the Regina highway bypass,” Wotherspoon added. “He needs to scrap this bill and hand over this information.” Meanwhile, a complaint has been filed by the CBC with Saskatchewan’s Information and Privacy Commissioner. [Global News]

CA – Fredericton Secret Meeting Broke the Rules, Privacy Commissioner Says

Everyone who attended a closed-door meeting of Fredericton city council where it approved a letter in support of the Energy East pipeline should have known it was against the Municipalities Act, the province’s privacy watchdog says. Access to Information and Privacy Commissioner Anne Bertrand has been following the controversy after the city sent a letter to the prime minister in support of the pipeline after an in camera meeting on Jan. 26. Thursday, the city issued a statement acknowledging it did not follow the proper process when it sent the letter. Bertrand said, under the act, municipalities are supposed to be open and transparent by default about every decision they make. “They only go to closed sessions when it is necessary, and there are 10 instances that they can do that. So they can’t just decide that anything goes to a closed session,” she said. Bertrand said obvious examples include labour and employment issues, security issues or criminal investigations. [Source]

CA – Fontaine v. Canada Ruling Favours Privacy Of IRS Survivors

In a case that tied questions of aboriginal law with privacy law, the Ontario Court of Appeal decided indigenous Canadians who suffered abuse in residential schools could decide whether their evidence will be archived or destroyed after a mandatory 15-year retention period. Part of the question in Fontaine v. Canada was who gets to decide whether claimants’ testimony, submitted as part of the Indian Residential Schools Settlement Agreement, would be achieved or destroyed. Detailed and often traumatic personal stories of abuse are gathered under the IRSSA’s Independent Assessment Program. The court said the appeals before it raised “the question whether the survivors control the stories of their residential school experiences or whether others do.” In Fontaine, a number of Catholic institutions argued they, too, should consent before the redacted evidence is achieved at the National Centre for Truth and Reconciliation and potentially available for access by future generations. They argued the decision to archive the documents affects the alleged perpetrators and the churches. A lower court judge had found the only consent needed to archive the evidence is that of the claimants themselves. In a decision dated April 4, the court of appeal agreed. [Source]

EU – Google RTBF Requests Report for Europe

Google released a transparency report, presenting figures on European right to be forgotten requests for online searches since the European Court of Justice ruling of May 2014. A total of almost 1.5 million URLs have been evaluated, and of the 422,000 requests for removal, 42.8% were removed; 10 social network sites and search directories account for 8% of all URL removal requests. [Transparency Report: European Privacy Requests for Search Removals – Google]

US – ODNI Publishes 2015 Transparency Report

The Office of the Director of National Intelligence (ODNI) released its third annual transparency report. The report offers statistics about the frequency with which the government employs certain national security authorities, according to a press release. The release follows President Barack Obama’s 2013 direction to the intelligence community that it both declassify and make public data on U.S. surveillance activities to the extent that it was possible while still protecting national security data. Further, the USA FREEDOM Act of 2015 codified the statistics published in the DNI’s annual reports. The release covers “information concerning United States person search terms and queries of certain unminimized, [Foreign Intelligence Surveillance Act]-acquired information,” in addition to unique identifiers from FISA orders. [Source]

US – FBI Customer Record Requests Up 50% in 2015

A U.S. government transparency report revealed FBI requests for customer records were up 50 percent in 2015. The FBI sent 48,642 National Security Letters to Internet and telecommunications companies last year, up from the 33,024 letters in 2014. An NSL is sent by the FBI requesting information on an individual, including phone numbers, emails, IP addresses and other information. The report also states that 31,863 of the requests were made on foreigners, attributed to law enforcement efforts to track terrorist groups such as the Islamic State. In related news, U.S. District Judge Yvonne Rogers has stopped Twitter’s attempt to release more information on surveillance orders it receives from the government. “The First Amendment does not permit a person subject to secrecy obligations to disclose classified national security information,” Rogers wrote. Twitter will have the chance to re-file its case. [FSource ]


CA – NS Suspends “Unreliable” Hair Testing for Child Protection Cases

Nova Scotia has become the fourth known province to suspend or ban the use of drug and alcohol hair testing in child protection proceedings, after New Brunswick, British Columbia and Ontario. The move comes in the wake of a 2014 Star investigation into the Hospital for Sick Children’s Motherisk laboratory, which found that prior to 2010, the lab was using a hair test that was not recognized as the “gold standard.” An independent review deemed the hair test results “inadequate and unreliable” in 2015. They were used in potentially thousands of child protection cases in Ontario as well as in British Columbia, Quebec, Nova Scotia and New Brunswick, where they were routinely accepted as evidence with little scrutiny in court. Questions have been raised for years about hair strand testing, regardless of the laboratory performing the service. Because of the effect of alcohol-based hair products, “the risk for false-positive results appears high when monitoring a female population,” Motherisk’s own manager at the time, Joey Gareri, wrote in a 2011 paper he co-authored with Motherisk founder and director Gideon Koren. Studies have also suggested that drugs appear to be incorporated more readily into darker-coloured hair, and there is also evidence that the way substances are incorporated into the hair of a single individual may vary from strand to strand. Motherisk ceased its hair testing practices in 2015 prior to the completion of the independent review, but some provinces were still using hair tests from other labs in some cases until very recently. [Source]

Health / Medical

CA – Massive Health Information Overhaul Coming to Alberta

Patients tired of retelling medical histories, physicians frustrated with a cumbersome record system too reliant on paper, and administrators struggling to cut costs hope to benefit from a massive health information overhaul in Alberta. The government has vowed to invest $400 million over the next five years to begin replacing most of the 1,300 unconnected technology platforms currently in use within Alberta Health Services. The new, single clinical information system will be deployed across the province after an initial rollout in Edmonton facilities, where an antiquated, 30-year-old technology has been a festering headache. Dr. Robert Hayward, chief medical information officer for AHS, described a clinical information system as a giant integrated data hub that serves every aspect of the health system a patient might touch, from drug prescriptions and diagnostic tests to rehab clinics and home care. He said the best systems not only offer information for individual users, but can also manage broad, systemwide data on admissions and discharges, and the management of beds and supplies. For patients, Hayward said one of the biggest benefits will be the ability to have a single medical record that can be accessed by health providers at any point in the system. Currently, patients are often forced to repeatedly explain their health stories to different professionals, rather than having a seamless experience in which everyone is working from the same information. The system is also expected to have a portal for patients to access their own information. For health professionals, the arrival of the system should modernize processes that are often described as excessively time consuming and prone to error. Hayward said $400 million will “kick-start” the project by allowing AHS to issue a request for proposals. It’s expected the successful company will need a couple of years to install the new technology platform across the Edmonton zone, which is behind Calgary and plagued with a system at risk of failure. Then, over the next 10 years, the idea is to extend the system all over the province so that every provider can use it, including small doctors’ offices. Hayward said cost savings from the first rollout of the technology will be used to fund the later stages. [Edmonton Journal]

CA – Settlement Reached in Lawsuit After Edmonton Medicentre Laptop Theft

A settlement has been reached in a class-action lawsuit filed after a laptop containing the personal health information of 620,000 Albertans went missing. The settlement totals $725,000 to resolve credit damage, mental distress, increased risk of future identity theft and time and costs associated with preventing identity theft. The lawsuit originally sought $11 million. It was filed in 2014 against Medicentres Canada Inc., AbleIT Inc. and third-party individuals after an unencrypted laptop of an IT consultant for Medicentres was stolen from an Edmonton medical clinic in September 2013. The computer contained the names, birth dates, Alberta Health Care numbers and Alberta Health diagnostic codes of people who attended a Medicentre clinic in Edmonton or Calgary between May 2, 2011, and Sept. 19, 2013. People who were affected by the records loss can register with the law firms. There are different categories of claimants, including those who suffered mental stress and sought medical attention; those who can show that their identities had been stolen as a result; and those concerned about identity theft. [Source]

UK – NHS to Share 1.6 Million Health Records with Google AI Company

Google’s artificial intelligence company DeepMind has struck a deal with the UK’s NHS to access healthcare data of 1.6 million people. The agreement allows DeepMind access to current and historical data for patients at three London hospitals to develop an app to help monitor patients with kidney disease. The access granted in the agreement covers all health data, not just kidney disease data. [New Scientist] [The Register] [SCMagazine] [] See also: [Google company’s access to NHS records raises privacy concerns]

WW – Why Cybercriminals Attack Healthcare More Than Any Other Industry

Cybercriminals attacked the healthcare industry at a higher rate than any other sector in 2015, and more than 100 million healthcare records were compromised last year, according to a new report published by IBM. In fact, 2015 was “the year of the healthcare breach,” IBM said in its 2016 Cyber Security Intelligence Index. The rate of attacks against the healthcare sector climbed to the highest level of all industries studied in 2015, after not making the top five in 2014, as healthcare leaped ahead of the manufacturing, financial services, government and transportation industries. Data breaches in the healthcare sector are also getting larger – with five of the eight largest health data breaches reported since 2010 (those with more than 1 million records compromised) occurring in the first six months of 2015, IBM’s report said. And the cost of data breaches is going up, particularly in healthcare, according IBM’s 2015 Cost of a Data Breach study. While the average cost of a data breach across all industries was $3.8 million in 2014 – up 23% from 2013 – the cost per record in the healthcare sector was $363 per record breached, more than twice the overall average of $154 per record. [Source]

Horror Stories

WW – Massive Breaches at Major Email Services, 272.3 Million Affected

Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld. The discovery of 272.3 million stolen accounts included a majority of users of Russia’s most popular email service, and smaller fractions of Google Yahoo and Microsoft email users, said Alex Holden, founder and chief information security officer of Hold Security. It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago. [Reuters]

WW – Notable Privacy Breaches

Intellectual Property

US – Self-regulatory Group Takes Action Against Three App Developers

Three popular app publishers have changed their privacy practices after the enforcement arm of the Better Business Bureau found they were out of compliance with accepted self-regulatory standards. The makers of Spinrilla, Top Free Games and Bearbit Studios were found to be out of compliance with the Digital Advertising Alliance’s Self-Regulatory Principles. [Full Story]

Internet / WWW

WW – Google for Work & Google Cloud Get New Security/Privacy Certs

In what is clearly part of the company’s efforts to get more enterprise customers on its platforms, Google announced that it has renewed its ISO 27001 certification for the fourth year in a row and upped its product coverage from 34 to 59 products. In addition, Google Apps for Work and the Google Cloud Platform have now also been certified for ISO 27017 for cloud security and ISO 27018 for privacy. Google already said it would adopt ISO 27018 for Google Apps for Work last year. ISO 27017 basically certifies that Google’s virtual networks are as secure as its physical networks, that data is protected and inaccessible to other customers on the same platform and that it’s clear which security responsibilities fall on Google and which are the customer’s. ISO 27018 mostly covers privacy controls. It certifies that Google doesn’t use its customers’ data on the covered platforms for advertising, for example, and that the customers’ data remains theirs. It also certifies that Google lets you delete and export your data and is transparent about where the data is stored. Because enterprises do look for these certifications when they decide on a cloud provider, it’s no surprise that Amazon’s AWS and Microsoft’s Azure also offer similar compliance assurances. AWS already offers the same ISO 27001, 27017 and 27018 certifications as Google, for example. Azure, too, is ISO 27001- and 27018-compliant. [Source]

Law Enforcement

US – Maryland Cops deploy StingRay Tech Against Chicken-Wing Thief

Police in Maryland, US, used controversial cellphone-tracking technology intended only for the most serious crimes to track down a man who stole $50 of chicken wings. Police in Annapolis used a StingRay cell tower simulator in an effort to find the location of a man who had earlier robbed a Pizza Boli employee of 15 chicken wings and three sandwiches. Total worth: $56.77. In that case, according to the police log, a court order was sought and received but in many other cases across the US., the technology is being used with minimal oversight, despite the fact it is only supposed to be used in the most serious cases such as terrorism. Annapolis police never found the thief but he represented just one of 17 occasions on which the city of 40,000 people used the device in 2011. Its use is far more prevalent in larger cities. The Philip Merrill College of Journalism’s Capital News Service found that Maryland State police has used a StingRay at least 125 times since 2012. Howard Country, which lies to the south of Baltimore and with a population of 300,000, has used a StingRay 129 times since 2011. The police in Baltimore City have used its StingRay an extraordinary 4,300 times since 2007, sparking an investigation and review of 2,000 of them. New York City has used its StingRay more than 1,000 times since 2008. [The Register]


US – Westin Centre Issues New Geolocation Practice Guide

Geolocation is used for purposes ranging from emergency services to targeted advertising to fraud prevention. For consumers, the use of geolocation has obvious benefits — though concerns over how this data is collected, accessed and used, and by whom, has been a consistent topic of debate. Regulators from across the globe have weighed in with guidance and legislation, industry groups have issued codes of conduct and even the U.S. Supreme Court has offered an opinion. This IAPP Westin Center Practice Guide offers a quick way to get up to speed on geolocation and the issues surrounding it. [Full Story]

EU – Healthcare Apps and Wearables Create High Risks for Users: German DPAs

During their last Data Protection Conference, the German data protection authorities (DPAs) agreed on a resolution on data protection principles that providers of healthcare apps and wearables should consider. According to the resolution, almost a third of the German population 14 years or older uses wearables (body-worn devices that record an individual’s health data) and healthcare apps (mobile device software offering health-related services). The DPAs claim that these devices and apps collect personal health data, which is subsequently transmitted to manufacturers, internet providers, and other third parties. In general, under German law, a company may collect, process, and use personal health data only if specifically authorized by law, such as the German Federal Data Protection Act (FDPA), or if the data subject has consented. The resolution clarifies how these requirements apply to wearables and apps:

  • Manufacturers of wearables and healthcare apps should use data privacy-friendly technologies and default settings (e.g., privacy by design), and should adhere to the principles of data reduction and data minimization, as well as anonymization/pseudonymization.
  • A data subject’s consent regarding the collection, processing, and use of personal health data should be transparent, particularly regarding a transfer to third parties.
  • In the context of employment and insurance, any consent to use of personal health data likely is invalid, based on concerns regarding significant negotiating imbalances between the parties. Consistent with the German DPA’s view, the Dutch DPA recently stated that an employee’s consent to the use of wearables to be not valid due to the financial dependence of the employee.
  • Legal requirements for data security cannot be waived contractually or via consent.
  • In the case that multiple parties are involved in the creation or distribution of wearables and healthcare apps, those parties have a joint responsibility for the wearables and apps, including issues such as meeting quality standards, ensuring IT security, functionality, and the transparency of data usage. However, the resolution does not explain how joint responsibility should operate in practice. [Source]

Online Privacy

US – Supreme Court Gives FBI More Hacking Power

The Supreme Court this wseek approved changes that would make it easier for the FBI to hack into computers, many of them belonging to victims of cybercrime. The changes will take immediate affect in December, unless Congress adopts competing legislation. Previously, under the federal rules on criminal procedures, a magistrate judge couldn’t approve a warrant request to search a computer remotely if the investigator didn’t know where the computer was—because it might be outside his or her jurisdiction. The rule change, sent in a letter to Congress on Thursday, would allow a magistrate judge to issue a warrant to search or seize an electronic device if the target is using anonymity software like Tor. Over a million people use Tor to browse popular websites like Facebook every month for perfectly legitimate reasons, in addition to criminals who use it to hide their locations. The changes, which would allow the FBI go hunting for anyone browsing the Internet anonymously in the U.S. with a single warrant, are already raising concerns among privacy advocates who have been closely following the issue. [The Intercept]

Privacy (US)

US – SCOTUS Approves Rule 41 Update, Privacy Advocates Outraged

The Supreme Court approved an update to Rule 41 this week, effectively expanding judges’ abilities to issue warrants for access to computers outside of their jurisdictions. The move has drawn criticism from Sen. Ron Wyden, D-Ore., and several privacy advocates. Last month, Wyden warned of the potential change and vowed to stop it. Congress has until Dec. 1 to either amend or deny the update. “Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime,” said Wyden. Open Technology Institute’s Kevin Bankston said the “obscure rule change” authorized “a whole lot more” government hacking. [Morning Consult] See also: [A retail industry group is railing against a bill that would require companies to notify customers following a breach and set nationwide data security standards similar to those in the financial sector] and [A House Committee on Education and the Workforce hearing to evaluate the 1974 Family Educational Rights and Privacy Act and how Congress should update it.]


WW – SS7 Network Leaves Major Hole in Cellphone Security

Signaling System No. 7 network’s vulnerabilities have caused major problems for smartphone security. SS7 is a set of technical rules for how data gets exchanged in cellular networks, mainly involving computing cellular billings, texts, and assisting when users are roaming. The vulnerability in the network was revealed last week during a “60 Minutes” episode in which researchers demonstrated how they could hack into Rep. Ted Lieu’s, D-Calif., smartphone. Lieu has since called for a congressional hearing on SS7, and the Federal Communications Commission has said it will examine the issue as well. [Wired]

WW – Latest Security Study Worry: How Many Times Will You Be Breached?

The threat level of cyber attacks on virtually every organization continues to increase, with more than half of companies reporting the loss of customer data due to DDoS attacks, and three-quarters of organizations suffering a breach in 2015. Those are among the findings of the latest research from Neustar, Inc., from its third global DDoS Attacks and Protection Report titled The Threatscape Widens: DDoS Aggression and the Evolution of IoT Risks. The research results show that although revenue loss caused by a DDoS related outage is usually the main concern of targeted organizations, 57% of all breaches involved some sort of theft including intellectual property and customer data as well as financial information. “More troubling, following the initial breach, 45% of organizations reported the installation of a virus or malware – a sign that attackers are interested in causing ongoing harm,” the report explains. The research highlights that although DDoS attack tactics continue to evolve from single large attacks intended to take a website offline to the multi-vector attacks we are seeing today, organizations are fighting back. The research revealed that 76% of companies are investing more in DDoS protection than in 2014, and 47% of the attacked organizations are participating in security consortiums to share information on threats and counter measures. [Source] [Neustar Press Release]

Smart Cars / Internet of Things

WW – Samsung SmartThings Vulnerabilities

Researchers from the University of Michigan have published an “in-depth empirical security analysis” of the Samsung’s SmartThings smart home platform, a program that allows people to use SmartApps to control all sorts of Internet-connected devices in their home from their smartphone. The researchers found they could trigger false smoke alarms and plant code in digital locks that would allow them access to the house. They noted that the SmartApps are capable of gaining privileges they do not need, and that the SmartThings event subsystem offers inadequate protection of events that transmit sensitive data. [The Register] [Wired] [CNET] [Ars Technica] [Security Analysis of Emerging Smart Home Applications]

SG – Singapore Ramping Up Smart City Efforts

Singapore is planning to create the most elaborate and comprehensive smart city in the world. The country plans on placing an undetermined amount of cameras and sensors around the city, permitting the government to check everything from crowd numbers to the movement of vehicles. While the smart city’s capabilities won’t be fully realized until after it is implemented, some early uses could include monitoring events such as the spread of infectious diseases. The government is working on finding the best way to ensure citizens’ privacy won’t be violated, according to the report. While public meetings haven’t been held on protecting citizens’ privacy, the government insists collected data will be anonymized as much as possible. [The Wall Street Journal]

US – Proposed Michigan Bills Would Have Car Hackers Face Life in Prison

State legislators in Michigan have introduced two bills that would impose a life prison sentence for anyone who maliciously accesses automobile computer systems. One of the bills reads, in part, “a person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter, or gain unauthorized control of the motor vehicle.” [ComputerWorld] [The Register] [CNET]

CA – Lawyers Ask SCOC to Consider “Black Box” Privacy

Two Kamloops lawyers are making a bid to overturn a B.C. Court of Appeal decision that found drivers have no expectation of privacy relating to data in their vehicle’s black box. 54-year-old Wayne Fedan of Kamloops was convicted in September 2014 of dangerous driving causing death in connection to a crash four years earlier. He was sentenced to three years in prison and handed a three-year driving ban to begin following his sentence. The sentencing judge found data contained in the black box of Fedan’s pickup truck showed his foot was on the accelerator as he rounded a corner at more than twice the posted speed limit. Lawyers Micah Rankin and Anthony Varesi have filed an argument with the Supreme Court of Canada. The court has yet to decide whether it will hear the appeal. The March 20, 2010, crash on Mackenzie Avenue, at the turn in front of the entrance to McArthur Island, killed 20-year-old Brittany Plotnikoff and 38-year-old Kenneth Craigdaillie. All three were at a party together and Fedan was driving them home. Both the B.C. Supreme Court and B.C. Court of Appeal rejected arguments that police required a search warrant before accessing data in the vehicle’s black box (known as the sensing diagnostic module, or SDM). Rankin and Varesi’s argue Canada’s highest court should consider the appeal based on what they call “an issue of national importance,” including four factors:

  • Changes in technology mean automobiles have become “repositories of potentially vast amounts of personal information about drivers” — information that should have protection of privacy rights.
  • The decision sets a precedent for seizure without a search warrant.
  • The decision is at odds with rulings in senior Ontario courts, which found drivers have an expectation of privacy in material contained in the black box.
  • The appeal asks whether the Canadian Charter of Rights and Freedoms limits police from accessing data from devices in automobiles. [Source]


US – Schumer Wants FTC to Investigate Billboard Tracking

Saying it raises “serious questions about privacy,” Sen. Chuck Schumer, D-N.Y., has called on the Federal Trade Commission to investigate Clear Channel Outdoor, a company that manufactures billboard-tracking technology. The RADAR technology uses mobile phone data to collect information for advertising. “Your personal cellphone should not become a James Bond-like gadget that’s used against you by some company,” adding, “You should have to give them permission to follow you when you drive or walk by a billboard.” Earlier this year, Sen. Al Franken, D-Minn., wrote a letter to the company with his privacy concerns. “RADAR uses only aggregated and anonymized information from privacy-compliant third-party data providers who have verified that they adhere to consumer-friendly business practices,” said Clear Channel Outdoor spokesman Jason King. [Full Story]

UK – Civil Rights Group Releases Video Satirizing Investigatory Powers Bill

Liberty, a civil rights campaign charity, released a video lampooning the potential surveillance powers the British government could possess if the Investigatory Powers Bill is passed. In “Show Me Yours,” comedian Olivia Lee approaches random citizens, browbeating them into showing personal information on their phones. Lee is met by a series of irritated individuals, highlighting Liberty’s opposition to the bill Home Secretary Theresa May is looking to pass and how citizens don’t want third parties looking at their information. “As our film shows, people naturally recoil when a stranger asks to see their phone — there’s a reason we use encrypted services and protect our phones and computers with passwords and codes,” said Larry Holmes, Liberty’s digital and campaigns coordinator. [The Huffington Post]

Telecom / TV

UK – 72% Orgs Support BYOD Despite Privacy/Security Concerns: Survey

According to the results of a new survey, 72% of organisations across the financial services, technology, healthcare, government and education sectors support BYOD for all or some employees. However, only 14% have successfully deployed Mobile Application Management (MAM) solutions, creating issues in areas such as controlling access to corporate data and enforcing device encryption. In most of the industries surveyed, employee satisfaction was seen as a key benefit of enabling BYOD, with government being the only exception where it was valued by less than half (44%) of respondents. In contrast, privacy was cited as the biggest inhibitor to BYOD adoption in 52% of SMBs, with large organisations being more concerned with security. Data leakage was one of the top concerns across all sectors, including 81% of financial services, 90% of healthcare and 79% of education organisations. Despite this concern, device encryption was supported in only 36% of educational institutions, 56% of financial services organizations and 57% of healthcare organizations. The full report, entitled ‘How Forward-Looking Industries Secure BYOD,’ surveyed more than 800 cyber security professionals and can be found here. [Source]

US Government Programs

US – FBI Use of National Security Letters Up by 50% in 2015

FBI requests for customer records under a secretive surveillance order increased by nearly 50 percent in 2015, according to a U.S. government transparency report published this week. Internet and telecommunications companies in 2015 received 48,642 requests, up from 33,024 reported in 2014, for data via so-called National Security Letters (NSLs). The NSL is a tool used by the FBI to gather phone numbers, email and IP addresses, web browsing histories and other information. An NSL does not require a warrant and is usually accompanied by a gag order. The amount of actual written orders issued decreased in 2015, however, from 16,348 to 12,870. One NSL often contains multiple requests for information, such as a series of email addresses believed relevant to an investigation, where each address counts as one request. The year-to-year statistics may not be entirely precise due to changes in reporting requirements ushered in last year under a surveillance reform law passed by Congress, sources familiar with the process said, but they indicate general trends. The majority of NSL requests, 31,863, made in 2015 sought information on foreigners, regarding a total of 2,053 individuals, according to a Justice Department memo sent to Congress, while the amount of requests on U.S. persons declined. A U.S. government source said the rise in NSL requests is in part attributable to efforts by militant groups such as Islamic State to use multiple accounts across several different communications platforms. [Reuters]

US – White House to Commence Artificial Intelligence Workshops

In an official White House blog post, Deputy U.S. Chief Technology Officer Ed Felten announced a new series of public workshops designed to better understand the potential benefits and concerns about artificial intelligence. Felten notes that “a series of breakthroughs in the research community and industry have recently spurred momentum and investment” in the AI field. With a potential to transform health care, education and transportation, AI will also bring with it risks, including privacy and security risks. As a result, the White House Office of Science and Technology Policy will co-host four workshops in the coming months. Cities include Seattle, Washington, Pittsburgh and New York City. The workshops will then “feed into the development of a public report later this year,” Felten wrote. [Full Story]

US Legislation

US – House Passes Bill Aimed at Closing ECPA Loophole

The US House of Representatives has unanimously passed the Email Privacy Act, which would amend an outdated law to protect the privacy of digital communications. The wording of 1986’s Electronic Communications Privacy Act (ECPA) was being interpreted to allow law enforcement to demand email and other electronic communications without a warrant. The Email Privacy Act would require authorities to obtain warrants to access the information. [The Hill] [Ars Technica] [ComputerWorld] ee also: The House Energy and Commerce Committee passed a bill levying heavy punishments for individuals committing the prank known as “swatting“ — a form of online trolling.

US – Colorado Student Data Privacy Bill Gets Unanimous Senate Approval

The 2016 legislative session’s biggest education policy bill — a measure intended to protect the privacy and security of student educational data — passed the Senate 35-0 this week. The vote continued the unbroken string of success for House Bill 16-1423, which has passed unanimously on every committee and floor roll call since it was introduced. That’s a pattern usually seen only with the most minor, technical bills. The measure’s original text also has survived almost entirely intact. The main elements of the bill include a detailed definition of personally identifiable information that must be protected, restrictions on software companies and other vendors, and additional transparency and disclosure requirements for the Colorado Department of Education and school districts. The bill also sets some district controls over classroom apps and software used by teachers. The bill returns to the House for consideration of non-controversial amendments, approval of which will be a formality. [Source]

US – Other US Legislative Developments




Privacy News Highlights: 19-25 April 2016


CA – Manitoba Ombudsman Lays Charges for “Snooping”

The Manitoba Ombudsman has laid charges for snooping under new provisions in the Personal Health Information Act. Individuals using, accessing or attempting to access personal health information without cause are now committing a fineable offence under the Personal Health Information Act. [Manitoba Ombudsman lays “snooping” charge under The Personal Health Information Act]

CA – Ransomware: OIPC SK Provides Guidance on Preventive Measures

The OIPC in Saskatchewan released guidance to public and private sector organisations on how to manage ransomware. Organizations should install anti-virus software, educate employees about phishing attacks, maintain offline backups of data and have an infection response plan in place; if attacked remove the infection, and attempt to restore the files or system from backup. [Office of the Saskatchewan Information and Privacy Commissioner – Ran$omware…What You Need to Know]

CA – Assisted Dying Bill C-14 Could Violate Charter, Feds Acknowledge

In a written explanation of the reasoning behind the proposed new law on medical assistance in dying, the Justice Department acknowledges that the bill could violate the charter of rights on a number of fronts.

They include:

  • Excluding those who are suffering intolerably but whose natural death is not reasonably foreseeable could violate the right to life, liberty and security of the person.
  • Treating people differently on the basis of their different medical conditions could violate equality rights.
  • Not allowing advance directives could force those with competence-eroding conditions like dementia to take their lives prematurely or risk permanently losing access to medically assisted death once they no longer have capacity to consent, thereby violating equality rights and the right to life, liberty and security of the person.
  • Restricting access to adults at least 18 years of age could violate the right not to be discriminated against based on age.
  • Requiring two independent people to witness a written request for medical assistance in dying could violate privacy rights. [Source]

CA – OPC to Investigate RCMP Over Alleged Stingray Cellphone Surveillance

While the outcome of the Privacy Commissioner’s investigation may hinge on whether the RCMP obtained proper judicial authorization prior to the use of Stingrays in particular cases, the validity of the legislation providing for such authorization could be open to an attack under the Canadian Charter of Rights and Freedoms and might also contravene telecommunications legislation. Whatever the legal outcome, the disclosure of the use of Stingrays has already sparked a public debate that could act as a catalyst for new legislation specifically regulating the use of Stingray devices. [Source]

CA – Brison Pledges to Improve Reporting of Privacy Breaches

Treasury Board will work with Canada’s Privacy Commissioner to improve the reporting of privacy breaches by federal government departments, said Treasury Board President Scott Brison following a committee meeting. “It’s an area that we will work with the commissioner and the commissioner’s office and with departments and agencies to understand fully what we can do to improve results and we’re seized with it.” Brison’s comments come after documents tabled in Parliament last week revealed that federal government departments and agencies breached the privacy of thousands of Canadians last year but only a fraction of those incidents were ever reported to Canada’s Privacy Commissioner Daniel Therrien. While departments don’t have to inform the privacy commissioner’s office of every incident, the documents also revealed that there was a wide range in the proportion of the breaches reported to the Privacy Commissioner’s office. [Source]

CA – RCMP Memo Details Public Safety Risks Via Surveillance Devices

A 2011 internal Royal Canadian Mounted Police memo warns of the ways in which IMSI catchers can negatively affect public safety. The memo mentions how the devices, which mimic cellphone towers to obtain data, can block important phone calls, including people dialing 911. RCMP has been using IMSI to surveil for potential crimes, but the internal memo indicates warnings of a risk to innocent third parties. Details within the memo also hint at expanded use of the devices by the RCMP. “When considering whether the use of the [IMSI catcher] should be authorized … officers should weigh the need to prevent imminent bodily harm, preserve life and investigate serious crimes … against the importance of having a reliable 911 system that Canadians can count on in all circumstances,” the memo reads. [The Globe and Mail]


US – Poll: American Voters Overwhelmingly Want Privacy, Encryption

Voters overwhelmingly support encryption and other measures to protect their digital privacy, according to a new poll from ACT | The App Association trade group. In the survey, 93% of respondents said it’s important that the photos, health data or financial information they store on their phones and apps, or share online, stay secure and private. Nearly the same number (92 percent) said they need “powerful, consumer-focused encryption technology” to make sure their information is secure. Meanwhile, the survey also found that 54% of respondents trust tech companies like Apple, Google and Facebook more than federal agencies, like the FBI, to protect personal information on their electronic devices. Only 21% said the reverse. [FedScoop]

US – Study: Trust in Social Media Companies Ranks Very Low

An Environics Communications study found only 26% of those surveyed ranked social media with a five or higher on a seven-point scale of trustworthiness. “These are relatively new industries, they haven’t had a lot of time to accumulate baggage … but there’s something about what’s going on that is not creating trust,” said Environics CEO Bruce MacLellan. Companies’ use of personally identifiable information and other elements of a user’s social media content for targeted advertising may be the source of anxiety. “The whole privacy issue is a huge part of this,” MacLellan said. “People are wary about what’s going on with that content, and how it’s being used.” [The Globe and Mail]


US – Email Privacy Act Expected to Pass in House Vote

House Majority Leader Kevin McCarthy, R-Calif., docketed a vote for the Email Privacy Act in the upcoming week. If passed, the legislation would mandate law enforcement officials get a warrant before accessing users’ electronic communications stored by tech companies, the report states. It came through committee in early April with only minor revisions. While the bill is believed to pass the House with ease due to its more than 300 co-sponsors, its Senate journey might not be so clear-cut, the report adds. Senate Judiciary Committee Chairman Chuck Grassley, R-Iowa, “has previously expressed sympathy for some agencies’ concerns.” [The Hill]

US – Study: Phishing Email Attacks on the Rise

Verizon’s ninth annual Data Breach Report found that phishing emails were the primary catalyst for data loss, with the amount of emails opened growing from 23-30% in the last year. Embracing two-factor authentication is one potential for companies looking to avoid falling prey to phishing attacks, said Verizon’s Bryan Sartin. “It would mitigate an entire swathe of these breaches.” [CSO Online]


US – Tech Groups Write Open Letter Criticizing Encryption Bill

Four major tech groups, representing companies including Facebook, Netflix and Google, have written an open letter to a pair of senators regarding their bill requiring all encryption have the ability to be cracked when needed. The bill, by Senators Richard Burr, R-N.C, and Dianne Feinstein, D-Calif., was recently leaked and widely criticized. “We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm,” the letter’s opening reads. The letter arrives at the same time a new survey from ACT reveals that 93% of respondents said it’s important their data is secured, with 92% needing strong encryption on their devices. [TechCrunch]

EU Developments

EU – EDPS Finds Commission Proposal to Exchange Non-EU Citizens’ Criminal Data Disproportionate

The European Data Protection Supervisor provides an opinion on the European Commission’s proposal to extend the European Criminal Records Information System to third country nationals. Member States would be obliged to store the fingerprints of all convicted non-EU citizens to ensure proper identification of individuals; however, not all Member States store fingerprint data or are connected to the national automated fingerprint identification system, and it is not necessary or proportionate to require storage of fingerprint data regardless of States’ sanction thresholds or the nature of the offence. [EDPS – Opinion 3/2016 – Exchange of Information on Third Country Nationals as Regards the European Criminal Records Information System]

EU – German Constitutional Court Finds Police Investigative Powers Too Broad

The German Federal Constitutional Court hears a complaint alleging that certain provisions introduced into the Federal Criminal Police Office Act are unconstitutional. Criteria for collection of personal data do not have requirements that a specific and foreseeable incident is present or an individual’s behavior substantiates a specific probability for terrorist offences, surveillance of private homes is not fully proportionality and constitutes a serious interference with individual privacy (it should focus exclusively on target persons communications), and the body charged with viewing the collected data (members of the police force) are not sufficiently independent. [Germany Federal Constitutional Court Declared BKA Act Partly Unconstitutional]

EU – US Hesitant to Renegotiate Privacy Shield Following EU Regulators’ Opinion

After European privacy regulators articulated concerns with Privacy Shield, the U.S. is reluctant to reopen negotiations. European data protection authorities weren’t pleased with the amount of U.S. surveillance permitted in the new Shield agreement, and while their approval is not needed to finish the deal, they will be enforcing it and aiming to ensure it doesn’t meet the same fate as Safe Harbor. With massive amounts of business on the line, delays to Privacy Shield implementation might be too costly to consider, the report states. “Given the pressure that currently exists with U.S. organizations and even in Europe, with organizations there trying to conduct business, my bet is that we’re going to see the Commission go forward with Privacy Shield,” said a lawyer from Foley & Lardner LLP. [The Hill] [The U.K. Information Commissioner Christopher Graham voiced his disappointment that the U.S. has articulated it isn’t interested in reopening negotiations for the Privacy Shield] U.S. businesses expressed their anxieties after the Article 29 Working Party released its opinion of the E.U-U.S. Privacy Shield agreement.


CA – Identity Management: FINTRAC Clarifies Which Client ID May Be Requested and/or Recorded for Identity Verification

FINTRAC has issued guidelines to securities dealers on client identification. Acceptable ID must have a unique identifier number, have been issued by a provincial, territorial or federal government, be valid (unexpired), and an original (not a copy); examples include an individual’s birth certificate, driver’s licence, Canadian or foreign passport, record of landing, permanent resident card, or certificate of Indian status or a provincial or territorial identification card (issued by prescribed entities). [Financial Transactions and Reports Analysis Centre of Canada – Guideline 6E: Record Keeping and Client Identification for Securities Dealers]


CA – Doctors, Pharma Company Funding and Privacy

Your doctor could be getting money from pharmaceutical companies and doesn’t have to tell you. It’s not uncommon for health practitioners to have relationships with industry — companies may be in touch about new drugs, sponsor educational conferences or compensate doctors financially for consultation, for work on advisory boards or in clinical trials. If your doctor’s in the United States, you can search their name in a public database and find each payment itemized by date, company and amount, thanks to the Sunshine Act, part of the Affordable Care Act. The legislation requires any pharmaceutical company giving payments or “transfers of value” of any kind or amount to American doctors to disclose them in detail. Canada has no such law. Canadian pharmaceutical companies are legally required to itemize all of their payments to doctors in Detroit, Fargo, Spokane and Seattle — but none of their payments to doctors in Windsor, Winnipeg, Calgary or Vancouver. Disclosures for presentations, not patients Nav Persaud, a researcher and physician with St. Michael’s Department of Family and Community Medicine in Toronto, wants that to change. “There are requirements to disclose that funding when, for example, you’re giving a talk to your colleagues. What there’s not clear guidance on is whether those gifts or payments need to be disclosed to patients.” Provincial governments could do it easily, Persaud argues: Ontario, for example, could pass a law requiring all the companies manufacturing drugs covered under the Ontario Drug Benefit to disclose and itemize all of their payments to Ontario health practitioners. [Global News]

US – FBI Officials Keep Tactics Secret, Even from Fellow Agents

According to documents recently disclosed under a Freedom of Information Act lawsuit, FBI officials have long aimed to keep their surveillance tactics secret even from fellow law enforcement officials. Officials “once warned agents not to share details even with federal prosecutors for fear they might eventually go on to work as defense attorneys.” Privacy advocates are concerned that secrecy makes court scrutiny of such practices difficult. Meanwhile, it’s been reported that the Drug Enforcement Administration has been taking tips from National Security Agency data. [USA TODAY]

CA – Ontario’s Police Watchdog Lags Behind Others in Transparency

When a BC man died after being Tasered during an arrest last year, the province’s civilian police watchdog launched an investigation that ultimately cleared the five Chilliwack RCMP officers involved in the death. The officers “acted appropriately” when they used the Taser, wrote Chief Civilian Director Richard Rosenthal in his recent report. Their force was not excessive and no officer should be charged in relation to the death. Then Rosenthal backed that decision up — in a detailed, 12-page public report posted on the watchdog’s website, a document that is “virtually identical” to the report sent to B.C.’s Ministry of Justice, according to the watchdog’s spokesperson, Marten Youssef. That report includes: a timeline of 911 and dispatch calls and a description of their content; a breakdown of the evidence provided by two witness officers and five civilian witnesses; a summary of an analysis of the conducted-energy weapon and of the autopsy report; an explanation of the legal issues, including whether the officers used excessive force that resulted in his death; and the director’s analysis of the evidence.

In cases where B.C.’s Independent Investigations Office clears an officer, the agency releases a decision that is as detailed as possible, because in cases with no charges, “there better be an explanation, and a comprehensive one,” Youssef said. He acknowledges that few people will actually read them from start to end, “but it needs to be there.” “It’s a question of transparency,” he said. Ontario — once a leader in civilian oversight after establishing Canada’s first provincial police watchdog, the Special Investigations Unit, in 1990 — is now lagging behind other provinces when it comes to the transparency measures of its independent police oversight agencies. [Source]

Health / Medical

NO – Norwegian Appeals Board Upholds DPA’s Denial of Approval for Health Data Research Project

The Privacy Appeals Board reviewed the Norwegian Data Protection Authority’s decision to reject an application from the University of Oslo’s to process health data for a research project. The research project’s proposed collating of data from various sources, including a national patient register, would have permitted the indirect identification of individuals, which did not sufficiently meet pseudonymisation requirements; the DPA was correct in finding that relevant legislation requires that such pseudonymisation be irreversible. [Privacy Appeals Board, Norway – PVN-2015-12 – University of Oslo Health Research Project]

WW – Health Data: Challenges in Providing Notice to Users of Wearable Devices

Current and future challenges of obtaining meaningful consent, before collecting or processing health-related data generated by individuals’ wearable devices. Organizations collecting mHealth data via wearable devices face challenges in obtaining meaningful consent from users (owing to small screen sizes and the need to provide a privacy statement including proposed uses of the data); prior consent is still required (with limited exceptions, including for preventive medicine, for medical diagnosis) and the new GDPR will impose even more stringent requirements. [mHealth – Wearables, technical innovation and Data Protection – CMS Law]

UK – Privacy Concerns Limit Social Media-Based Health Campaigns: Study

A “qualitative evaluation” of HIV Prevention England’s awareness program, “It Starts With Me,” found that online privacy concerns inhibit the wider reach of social media-mired intervention campaigns. “Nearly all of our participants held concerns about privacy relating to their social media use and their engagement with sexual health interventions,” the researchers said. They added that their study did not contain privacy-specific questions, but that respondents expressed their privacy concerns organically. [NAM Aidsmap] [Witzel TC et al. It Starts With Me: Privacy concerns and stigma in the evaluation of a Facebook health promotion intervention. Sexual Health, 2016]

Horror Stories

WW – Private Data of 1.1 Million ‘Elite’ Daters for Sale

Sexual preference. Relationship status. Income. Address. These are just some details applicants for the controversial dating site are asked to supply before their physical appeal is judged by the existing user base, who vote on who is allowed in to the “elite” club based on looks alone. All of this, of course, is supposed to remain confidential. But much of that supposedly-private information is now public, thanks to the leak of a database containing sensitive data of 1.1 million users. The leak, according to one researcher, also included 15 million private messages between users. Another said the data is now being sold by traders lurking in the murky corners of the web. Other leaked data included weight, height, job, education, body type, eye colour and hair hue, as well as email address and mobile phone number. Location data, in the form of latitude and longitude, were also leaked, along with smoking and drinking habits, interests and favourite TV shows, movies and books. Anyone using the site expecting privacy should now consider themselves exposed, right down to their appearance, whereabouts and interests. “We’re looking at in excess of 100 individual data attributes per person. Everything you’d expect from a site of this nature is in there.” [Source]

US – NY Hospital to Pay $2.2 Million Over Unauthorized Filming of 2 Patients

NewYork-Presbyterian Hospital has agreed to pay a $2.2 million penalty to federal regulators for allowing television crews to film two patients without their consent — one who was dying, the other in significant distress. Regulators said that the hospital allowed filming to continue even after a medical professional asked that it stop. At the same time, regulators clarified the rules regarding the filming of patients, prohibiting health providers from inviting crews into treatment areas without permission from all patients who are present. That could end popular television shows that capture emergencies and traumas in progress, getting permission from patients only afterward. “It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation or voice alteration software) for whom an authorization was not obtained,” the Office for Civil Rights with the federal Department of Health and Human Services said in an online post. “I think this will have a chilling effect on hospitals going forward. Any hospital legal counsel worth his salt or any P.R. director would be committing malpractice in order to allow it to occur. It’s now embodied in a federal directive.” [Source]

US – North Carolina Clinic Settles HIPAA Breach for $750,000

The Raleigh Orthopaedic Clinic must pay $750,000 in a settlement after the Department of Health and Human Services’ Office for Civil Rights discovered it had shared the health data of 17,300 individuals in 2013 without “executing a business associate agreement,” a violation of HIPAA. “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said OCR Director Jocelyn Samuels. “It is critical for entities to know to whom they are handing personal health information and to obtain assurances that the information will be protected.” [Healthcare IT News]

CA – Class Action Lawsuit Filed for Privacy Breach in Lanark, Leeds and Grenville

A Class Action lawsuit has been filed following a massive privacy breach at Family and Children’s Services of Lanark, Leeds and Grenville earlier this week that saw the names of 285 families involved with children’s services leaked on Facebook. The class action filed in the Ontario Superior Court of Justice on behalf of a person identified only as M.M. names the agency, its executive director, Children and Youth Services Minister Tracy MacCharles and John Doe – the person responsible for sharing the information – as defendants. The lawsuit calls for $25-million in general damages, $25-million in special damages and $25-million in punitive, aggravated and exemplary damages on behalf of M.M. the families whose names were shared in a document on the Smiths Falls Swapshop and Families United Facebook pages earlier this week. “This is a very serious breach of privacy, made possible by the Family and Children’s Services of Lanark, Leeds and Grenville,” said Sean Brown of Flaherty McCarthy LLP in Toronto. “That institution made the decision to use an on-line portal system that was easily accessed by an individual without any obvious hacking skills. The most sensitive and confidential information held by that body, specifically the names of those under its investigation, have now been published on the Internet. The damage has been done. That bell can not be unrung.” [CFRA]

Identity Issues

WW – FPF Reports on the Full Spectrum of Practical Data De-Identification

One of the most hotly debated issues in privacy and data security is the notion of identifiability of personal data and its technological corollary, de-identification. De-identification is the process of removing personally identifiable information from data collected, stored and used by organizations. Once viewed as a silver bullet allowing organizations to reap the benefits of data while minimizing privacy and data security risks, de-identification has come under intense scrutiny with academic research papers and popular media reports highlighting its shortcomings. At the same time, organizations around the world necessarily continue to rely on a wide range of technical, administrative and legal measures to reduce the identifiability of personal data to enable critical uses and valuable research while providing protection to individuals’ identity and privacy. This paper proposes parameters for calibrating legal rules to data depending on multiple gradations of identifiability, while also assessing other factors such as an organization’s safeguards and controls, as well as the data’s sensitivity, accessibility and permanence. It builds on emerging scholarship that suggests that rather than treat data as a black or white dichotomy, policymakers should view data in various shades of gray; and provides guidance on where to place important legal and technical boundaries between categories of identifiability. It urges the development of policy that creates incentives for organizations to avoid explicit identification and deploy elaborate safeguards and controls, while at the same time maintaining the utility of data sets. [Source] [Infographic] [Privacy Advisor]

US – Judge: Ashley Madison Breach Victims Must Use Real Names

Victims of the Ashley Madison data breach wishing to be named plaintiffs in the upcoming litigation will need to use their real names. U.S. District Judge John Ross made the decision, saying fake names should only be used in civil litigations in certain cases. “The disclosure of Plaintiffs’ identities could expose their sensitive personal and financial information — information stolen from Avid when its computer systems were hacked — to public scrutiny and exacerbate the privacy violations underlying their lawsuit,” Ross said. “At the same time, there is a compelling public interest in open court proceedings, particularly in the context of a class action, where a plaintiff seeks to represent a class of consumers who have a personal stake in the case and a heightened interest in knowing who purports to represent their interests in the litigation.” Victims have until June 3 to join the class. [Ars Technica]

WW – More than 1 Million Facebook Users Access via TOR Network

It seems that every few weeks or so, a new study about how the dark web is mostly vile and mostly harbors criminals crops up. The majority of people, in fact, would be pretty OK about it were the dark web to be padlocked, according to a recent survey. The battle over anonymizing technologies – encryption and the Tor network that the dark web runs on – is a polemic issue: it often boils down to a simplistic battle between the advocates of innocent individuals’ privacy rights (and of security that isn’t weakened via backdoors) vs. the shielding of criminals. On one side of the argument, Tor is used by whistleblowers, human rights activists, journalists and others to protect their identities. On the other side: it’s also used by people shielding their activities around cybercrime, drugs, illegitimate porn and violent extremism. As it turns out, a large number of people who want to use Facebook secretly without revealing their identities fall into the “legitimate use” side of the battle. Facebook said on Friday that over a million people accessed Facebook through the Tor network this month. That’s up from the 525,000 people who were coming in over Tor over a 30-day period last June, and it follows two years of work to enable people to find the social network on Tor. [Source]

Internet / WWW

WW – Google Beefs Up Chrome Web Store User Data Policy

Google has made changes to the Chrome Web Store User Data Policy to protect users from data theft. Third-party developers must encrypt personal data that they transmit. The revised policy also requires developers to create and publish a privacy policy explaining which data they collect and how it is used. [Register] [Google]

Law Enforcement

CA – Surrey’s License Plate-Scanning & 300 Traffic Cameras Remain Limited

Although the RCMP have now been given 24-hour access to Surrey’s 300 traffic cameras in the fight against gang violence, there is a line Mounties are not attempting to cross. They aren’t proposing to use the 330 city intersection cameras to rapidly scan licence plates and check drivers against policing databases, as now happens with the Automated Licence Plate Recognition (ALPR) system on use on about 40 police cars in B.C. In theory, a stationary system of cameras integrated with ALPR could act as a surveillance network, tracking the movements of known gangsters or quickly identifying suspect vehicles fleeing the scene of a shooting – if that was allowed here as it is in the U.K. “That’s not what exists here in British Columbia or anywhere else in Canada,” RCMP Dep. Commissioner Craig Callens said, giving a short answer of “no” when asked if such a London-style system is being pursued. “I have not been involved in any discussions to this point,” he told Black Press. “And I think to do so would require some considerable consultation with the provincial privacy commissioner.” A University of the Fraser Valley study in 2015 suggested much more could be done with the licence-scanning system to tackle more serious crime. “ALPR is not being used in Surrey to its full potential,” according to the report by UFV criminologists. In other jurisdictions, they noted, the second most common use is for crime intelligence – using ALPR equipped vehicles to patrol high-crime areas to run plates, collect data and identify and track potential suspects. [Source]


US – Support Increases for Legislation to Halt Government Location Tracking

The House Judiciary Committee may consider halting the government’s ability to track citizens’ locations via their cellphones without a warrant sooner rather than later. During its meeting on the Email Privacy Act last week, Chairman Bob Goodlatte, R-Va., said he wants to hold a meeting on how the committee is dedicated to safeguarding geolocation data when the next Congress commences. Goodlatte’s stance is drawing praise from both sides of the aisle and has been compared to legislation from Rep. Zoe Lofgren, D-Calif., requiring the government to seek a warrant in order to intercept or request geolocation data from any citizen. Goodlatte has the support of privacy advocates including Sen. Ron Wyden, D-Ore., who believe location tracking to be a prominent issue to be addressed in the widespread surveillance debate. [Morning Consult]

Privacy (US)

UK – Supreme Court Believes IT Progress Make Privacy Laws ‘Unenforceable’

Lord Neuberger, president of the UK Supreme Court, expressed skepticism about the overall effectiveness of privacy laws, claiming such orders are “unenforceable.” Delivering his opinions in front of lawyers in Edinburgh, Neuberger believes gains in technology have made it impossible to properly enforce privacy laws, and developments in IT have greatly increased the tensions between personal privacy and freedom of expression. “The existence of the Internet inevitably affects what can be practically achieved in terms of enforcement of privacy, and the law should never seek to acknowledge or enforce rights which are in practice unenforceable,” Neuberger said. [Daily Mail]

US – Legislators Lack Unbiased Scientific and Technical Advice

Budget cuts more than twenty years ago eliminated the US Office of Technology Assessment (OTA), which provided legislators with unbiased scientific and technological information. Former congressman Rush Holt, a trained research physicist, tried to bring OTA back, but did not succeed. He noted, “Most members of Congress don’t know enough about science and technology to know what questions to ask, and so they don’t know what answers they’re missing.” [Wired]


US – DHS Red Teams Conduct Penetration Tests on Government Agencies

The US Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) has conducted penetration tests on three unnamed US government civilian agencies. The red teams were able to “own those agencies from top to bottom and side-to-side.” NCCIC now plans to help those agencies fix their network weaknesses. The agencies will also have help developing internal cybersecurity talent so they can continue to conduct similar assessments more frequently. [Source]

US – More Bad News for NASA Cybersecurity

Two more reports have found serious cybersecurity problems at NASA. The agency’s inspector general found that NASA needs to improve continuous monitoring management, configuration management, and risk management. And a private security company, Security Scorecard, ranked NASA last among 600 federal, state, and local government agencies surveyed in its report. Security Scorecard found that NASA had issues with secure sockets layer (SSL) certificates, unsecure open ports, and misconfigured email sender policy frameworks. [Source] [NASA IG Report]

WW – 93 Million Mexican Voter Records Exposed on Cloud

A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken out of the cloud and offline. The database sat exposed to the public for at least eight days after its discovery by a researcher, but originally went public in September 2015. The security researcher discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon’s AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter’s name, address, voter ID number, date of birth, the names of their parents, occupation, and more.

Eventually, after a speaking engagement at Harvard University’s Center for Government and International Studies, the researcher was able to reach someone the Mexican Instituto Nacional Electoral (INE). The database was pulled offline earlier this morning. Given that the database has been online since September 2015, it isn’t clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown. Mexico has strict laws regarding the usage and access of voter information, and the last time such records were in the hands of a company in the U.S., it became an international incident. “Under Mexican law this data is strictly confidential, carrying a penalty of up to 12 years in prison for transfer or extraction for personal gain. The Mexican Elections Commissioner has confirmed that the database is authentic. The data is now secured but the real question is who else had access to this sensitive information, and who put it on a US-based Amazon cloud server?” he said in a brief statement. [Source] [Hacker discovers information on nearly all Mexican registered voters]

EU – Security Frameworks – EDPS Details Components of Information Security Risk Management Process

The European Data Protection Supervisor has released a guidance document on Information Security Risk Management practices in support of requirements found in Article 22 of Regulation 45/2001. Key steps include establishing a company’s context (collecting relevant information, defining scope, assigning roles), identification and assessment of risks, deciding on responses, management sign-off of residual risks, and ongoing monitoring of risks as well as the process itself. [European Data Protection Supervisor – Guidance – Security Measures for Personal Data Processing – Article 22 of Regulation 45/2001]


US – Federal Appeals Court Says Warrant Not Needed for Stingray Use

The 6th US Circuit Court of Appeals has agreed with the federal government that a warrant is not necessary when using cell-site location technology like Stingrays. The majority of federal appeals court rulings share this position; the only federal appeals court that sided against has agreed to rehear the case, so the opinion has been set aside. The issue is unlikely to head to the Supreme Court anytime soon unless more federal appeals courts disagree with the government. [Ars Technica]

UK – Surveillance Bill Would Require Government Vetting of New Communications Technology

Draft surveillance legislation in the UK would require technology and telecommunications companies to run new products, services, and features by the government prior to their release, to ensure that they provide capability for the government to intercept communications or access stored data. [ZDNet] Privacy International has flagged a provision in the U.K.’s draft Investigatory Powers Bill that would mandate tech firms like Google and Apple to inform spies when their technologies were to be upgraded.

UK – Documents Reveal British Intelligence Agencies Collecting Bulk Personal Data Since 1990s

A collection of more than 100 documents reveals how British intelligence agencies, including MI5, MI6 and GCHQ, have been collecting bulk personal data in secret since the late 1990s. The documents show how the agencies have been stockpiling the data, which includes travel records, financial data and communications information, for longer than previously divulged. The internal memos also reveal how the agencies gathered information on individuals who are “unlikely to be of intelligence or security interest.” Other revelations include continuous issues intelligence agencies face regarding data handling errors, resulting in the disciplining of two MI5 and three MI6 agents between 2014 and 2016 for mishandling bulk personal data, while a GCHQ staff member was fired for unauthorized searches. [Guardian]

CA – Saskatchewan OIPC Issues Best Practices on Public Surveillance

The OIPC SK has provided guidance on video surveillance of public areas, aimed at public bodies who may be subject to:

Images of individuals are personal information under privacy legislation; public bodies deploying CCTV cameras (or similar) should consider the following – confirming that the collection is necessary and lawful (i.e., proper authority under the law), minimizing impact on personal privacy (avoid washrooms, post notices that the area is under surveillance), conducting a PIA, and ongoing audit and review of the program. [Video Surveillance Guidelines for Public Bodies – OIPC SK]

Telecom / TV

US – 60 Minutes Segment Demonstrates Ease of Tracking Smartphones

US television investigative news magazine 60 Minutes ran a segment showing just how vulnerable smartphones are to tracking and eavesdropping. US Senator Ted Lieu (D-California) participated in the demonstration. Using just the 10-digit number associated with the smartphone, Security Research Labs’ Karsten Nohl was able to record calls made to and from the device and track its precise location. Nohl exploited a weakness in the Signaling System No. 7 (SS7) routing protocol to access the phone Lieu was using. [Ars Technica] [ComputerWorld] [The Register] [The Hill]

US – FCC to Examine Mobile Network Security

Following a 60 Minutes television news magazine segment that demonstrated a vulnerability that could be exploited to eavesdrop on phone calls, the head of the US Federal Communications Commission’s (FCC) Public Safety Bureau has directed his staff to look into the Signal System 7 (SS7) vulnerability. [SC Magazine] [The Hill]

AU – 60 Minutes Australia Covered SS7 Vulnerability Last Year

The SS7 vulnerability was demonstrated last year on a segment for Australia’s 60 Minutes program, which also noted that a relatively inexpensive and readily obtainable device known as an IMSI catcher, or cell-site simulator, could be used to conduct man-in-the-middle attacks against cellphones. [YouTube] [NDTV]

CA – BC Appeals Court Affirms Its Position on Text Message Privacy

On April 11th, the BC Court of Appeal held that a defendant convicted of internet luring and sexual touching of a minor had a reasonable expectation of privacy in direct messages he sent to the complainant and others via a social media platform. The trial judge had found no such expectation – a finding that rested in part on the nature of the messages. The trial judge held that the messages contained no personal information that the defendant had not posted in his public profile and were not sent to an intimate, trustworthy contact. The Court of Appeal viewed the messages differently – as “flirtatious” – and held that the trial judge rested too heavily on the “risk analysis” that characterizes American Fourth Amendment law. It reasoned: While recognizing that electronic surveillance is a particularly serious invasion of privacy, the reasoning is of assistance in this case. Millions, if not billions, of emails and “messages” are sent and received each day all over the world. Email has become the primary method of communication. When an email is sent, one knows it can be forwarded with ease, printed and circulated, or given to the authorities by the recipient. But it does not follow, in my view, that the sender is deprived of all reasonable expectation of privacy. To find that is the case would permit the authorities to seize emails, without prior judicial authorization, from recipients to investigate crime or simply satisfy their curiosity. The analogy between seizing emails and surreptitious recordings [as considered by the Supreme Court of Canada in R v Duarte] is valid to this extent. In the end, the Court found a breach of section 8 but held the evidence was after conducting its section 24(2) analysis. The Court’s reasonable expectation of privacy finding follows its earlier similar finding in R v Peluco. For the context see this Law Times article. [BCCA affirms its position on text message privacy]

US Government Programs

US – U.S. Administration Refuses Information About Spying On Americans

A group of lawmakers from both parties are unhappy that they are being asked to reauthorize two key surveillance programs without the Obama executive branch answering how much data is being gathered on innocent Americans. The two programs authorized by Section 702 of the Foreign Intelligence Surveillance Act, are PRISM and Upstream. PRISM is a clandestine surveillance program under which the US NSA collects internet communications from at least nine major US internet companies. Since 2001 the US government has increased its scope for such surveillance, and so this program was launched in 2007. The major companies include Facebook, Yahoo, and Skype. Upstream collection involves four different surveillance programs: In a Foreign Intelligence Surveillance Court (FISC) order from October 3, 2011, it’s said that the Upstream collection accounts for approximately 9% of the total number of 250 million internet communications which NSA collects under the authority of section 702 FAA every year. During the first half of 2011, NSA acquired some 13.25 million internet communications through Upstream collection. “The program is unable to exclude domestic communications due to technical difficulties. The government refuses to tell politicians how much data is collected from Americans. Fourteen members of the House Judiciary Committee sent a letter to James Clapper, the Director of National Intelligence, asking for at least a rough estimate of the number. The letter said: “In order that we may properly evaluate these programs, we write to ask that you provide us with a public estimate of the number of communications or transactions involving United States persons subject to Section 702 surveillance on an annual basis.” Senator Rony Wyden has been asking for the number since 2011. The Privacy and Civil Liberties Oversight Board also asked in 2014. More than 30 privacy groups have also asked for the number. [Source] [Clapper: ‘We’ll do our best’ to figure out surveillance numbers]

US Legislation

US – Legislative News Roundup

Workplace Privacy

CA – Employee Privacy: Ontario Arbitration Board Rules that Employer’s Search of Employee’s Personal USB Key Did Not Infringe Charter Rights

An arbitration board heard a termination complaint filed by a union for federal employees against an Ontario government ministry. A supervisor was permitted by a management rights clause in the collective agreement to search the lost USB key (which was reported to contain employer documents) for evidence of employee misconduct. Any Charter-infringing conduct was minor; some degree of intrusion into personal documents was inevitable because the key was used for both personal and work purposes. [Association of Management, Administrative and Professional Crown Employees of Ontario (Bhattacharya) v. The Crown in Right of Ontario (Ministry of Government and Consumer Services) – 2016 CanLII 17002 – The Grievance Settlement Board, Ontario]

CA – ONSC Affirms Damages Award for “Friend’s” Leak of Work Schedule

On April 8th, the Ontario Superior Court of Justice affirmed a $1,500 damages award for a privacy breach that entailed the disclosure of information that the defendant received because she was the plaintiff’s social media friend. The plaintiff and defendant were pilots who worked for the same airline. The plaintiff shared his work schedule with the defendant though an application that allowed him to share his information with “friends” for the purpose of mitigating the demands of travel. The airline also maintained a website that made similar information available to employees. The defendant obtained the schedule information through one or both of these sites and shared it with the plaintiff’s estranged wife. Among the issues raised in this scenario: Is a work schedule, in this context, personal information? Does one have an expectation of privacy in information shared in this context? Does the intrusion upon seclusion tort proscribe a disclosure of personal information? The appeal judgement is rather bottom line. In finding the plaintiff had a protectable privacy interest, the Court drew significance from the airline’s employee privacy policy. [Source]



9-18 April 2016


WW – Fingerprint Identification Technology Expanding Beyond Smartphones

Biometric fingerprint technology has surged in popularity among smartphone users, and now companies are looking to bring the technology to new places. Credit card use, rail commuting and entrances to buildings could be the next wave of opportunities to implement fingerprint identification. Specifically, Sweden’s Fingerprint Cards, already leading the market for fingerprint identification sensors in smartphones, believes biometric smart cards could be its most rapidly expanding market by 2018. Security advocates praise fingerprint identification as a superior alternative to pin codes, and the market for the technology continues to grow, with many companies jumping into the business. [Reuters]

WW – Russian Photographer’s Project Shows Ease of Finding People Online

A Russian photographer’s project looks to show how an individual’s private life is becoming less and less private. Egor Tsvetkov created an experiment titled “Your face is big data,” where he took pictures of nearly 100 people sitting across from him on the subway, then used the facial-recognition app FindFace to discover them on VK, a Russian social media site. Tsvetkov located about 60 to 70% of the people he photographed who were between 18 and 35 years old. [PCWorld]

US – Shutterfly Settles Facial Recognition Lawsuit

An undisclosed settlement has been reached between Shutterfly and an Illinois man who brought a lawsuit against the photo-sharing website, claiming the company violated his privacy. Brian Norberg alleged Shutterfly used facial recognition software to identify his face, which ended up in the company’s database after a friend tagged him in a photo in February 2015. Norberg’s suit said Shutterfly analyzed the details of his face and offered other photos he should be tagged in, which the suit asserts violates Norberg’s rights under the Illinois Biometric Information Privacy Act. “Helping a user re-identify his own friends within his own digital photo album does not violate any law,” Shutterfly countered. Had the lawsuit gone to trial, it could have had repercussions for companies using facial recognition software. [Chicago Tribune]


CA – Nova Scotia to Craft New Cyberbullying Law

The province’s Justice Department says it is working on new cyberbullying legislation to replace the Cyber-safety Act, which was struck down in December by the Nova Scotia Supreme Court. Since then the province has had no law on the books specifically dealing with cyberbullying. Over the next several months the province said it will seek legal expertise to craft a new act that balances the right to freedom of speech with a way to protect the victims of cyberbullying. The earliest new cyberbulling legislation could be introduced is the fall. [Source]


WW – Men and Women Differ in Their Approach to Online Privacy and Security

What do internet users want in terms of security and privacy? What do they do to protect their own privacy and security when they use the internet? Hide My Ass! (HMA) commissioned a nationwide survey to find out. The main results revealed a striking disconnect between what people want and what they do while a deeper look uncovered some intriguing differences between men and women. HMA is a VPN (virtual private network) service provider. VPNs hide an internet user’s identity, location and internet activity by encrypting their data and routing their internet connection through multiple IP addresses and remote servers. HMA summarized the results of their survey with an attractive infographic and a more detailed report. While most people want more internet security and privacy, they do very little to make use of the tools and techniques that are available to give them what they want. The survey found that 70% of consumers say they restrict their level of social media use in order to avoid exposing personal information. However, only 25% enable strict privacy restrictions on the social media platforms they use. Likewise, 67% say they want additional layers of security while only 9% use email encryption programs, 11% use a VPN and 13% use two-factor authorization. [Forbes]

WW – RAND Corporation Examines Consumers’ Reactions to Data Breaches

When a data breach occurs within an organization, how do affected consumers respond? It’s the question the RAND Corporation sought to answer in “a nationally representative survey of the consumer experience” following a data breach. Of their findings, RAND reports 26% of respondents, roughly 64 million adults in the U.S., received a breach notification in the 12-month period before the survey, with 44% of those individuals saying they were already aware of the attack from sources other than the affected company. Free credit monitoring was a popular choice among respondents, with 62% of individuals accepting the service. Many were pleased with a company’s reaction to the incidents, with 77 percent reporting high satisfaction with the organization’s post-breach response, and only 11% discontinuing a relationship with the organization following the breach. [Full Story] [Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information]

WW – Firm Releases 2016 Data Breach Litigation Report

Data breach litigation “remains one of the top concerns of general counsel, CEOs and boards alike,” Bryan Cave, a law firm, points out in its latest report on data breach litigation, adding, “there remains a great deal of misinformation reported by the media, the legal press and law firms.” The 2016 Data Breach Litigation Report found a 25% decline in the amount of cases that were filed from its 2015 report. Additionally, when “multiple filings against single defendants” were removed, there were only 21 unique defendants during that 15-month time period, and only 5% of reported data breaches ended up facing class-action litigation. According to the report, such a decline in class actions may derive from an overall decline in reported breaches. [Report]


US – Government Agencies Dead Last in Cybersecurity: Report

The cybersecurity protections at U.S. government agencies — from federal to local levels — ranked dead last compared to 17 other private industries, according to a report from security risk startup SecurityScorecard. SecurityScorecard analyzed the security capabilities of major industries across 10 categories, including weaknesses to malware and rates of password exposure. The security startup examined 35 major government data breaches between April 2015 and April 2016, saying agencies had the worst scores on network security, software patching defects and malware. Among the 600 government entities SecurityScorecard examined, NASA was the worst performer, particularly its susceptibility to email spoofing and malware attacks. Other low ranking agencies included education and telecommunications, while information services, food and construction industries received high marks. For more on the report: here. [Reuters] [Newsweek]


US – House Judiciary Committee Unanimously Approves Email Privacy Act

In a 28-0 vote, the Email Privacy Act has been approved by the House Judiciary Committee. The new bill, created to update the 1986 Electronic Communications Privacy Act, requires law enforcement to obtain a warrant before requesting email providers to hand over a suspect’s electronic communications stored for more than 180 days. The bill is expected to pass through the House, but might face opposition in the Senate, as civil enforcement agencies — including the Securities and Exchange Commission and the FTC — are concerned the bill could hamper civil investigations. [Morning Consult]

Electronic Records

US – 96% of Health Care Organizations Susceptible to Data Threats: Report

The results of the Healthcare Edition of the 2016 Vormetric Data Threat Report revealed 96% of health care organizations feel susceptible to data threats, the organization said in a press release. Findings included 63% of respondents saying they have experienced a data breach, with nearly 20% experiencing one in the last year. Meeting compliance requirements was the top IT security spending priority, coming in at 61%, with data breach prevention “well behind at 40%.” Complexity clocked in at 54% as the toughest barrier to overcome for better adoption of data security, with lack of staff coming in second. [Full Story]

EU Developments

EU – WP29 Refuse to Endorse Privacy Shield Scheme

The Article 29 Working Party (WP29) met in Brussels to discuss the European Commission’s Privacy Shield scheme, the proposed replacement for Safe Harbor. As anticipated, WP29 decided that in their view Privacy Shield does not offer adequate protection. Whilst the decision is not binding on the Commission it will be hard to ignore if Privacy Shield is to be successful, especially since enforcement is still in the hands of the data regulators who sat around the table at WP29 and not in the hands of the Commission. WP29’s position is not a surprise, especially given the rumours coming out of Germany. Some German data protection authorities have had a long-held objection to Safe Harbor and they have been the most aggressive in enforcement since Safe Harbor died (for more on this see our alert here).Amongst WP29’s criticisms are:

  • A lack of clarity over the ombudsman role; and
  • Exceptions allowing the US to still collect European bulk data.

Most companies will have to plan for a world without Safe Harbor or Privacy Shield at least in the short term. They will have to explore alternative solutions including EU model terms and Binding Corporate Rules (BCRs). BCRs are likely to gain momentum and sources close to WP29 tell us that we can expect statements soon from regulators removing some of the existing objections to BCRs. In addition BCRs will gain in use once their statutory status is confirmed by the forthcoming General Data Protection Regulation (GDPR) – there is more on this in our GDPR FAQs here. [The WP29 issues draft adequacy decision] [IAPP GDPR Resources] [Data watchdogs do not endorse the EU-US Privacy Shield as drafted] [WP29 Privacy Shield opinion sparks anxieties for US businesses] The Hill also reported on businesses’ Privacy Shield related fears, and the potential challenges of trying to alert the agreement. [WP29 on Privacy Shield: More work needed]

EU – European Commission Seeks Views on ePrivacy Directive

The European Commission seeks stakeholders’ views on the current text of the ePrivacy Directive as well as the possible changes to the existing legal framework to make sure it is up to date with the new challenges of the digital area; the consultation is open until July 5, 2016. Learn more

EU – Passenger Name Record Bill Passes

The European Parliament approved the EU Passenger Name Record bill after five years of discussion. The bill will permit federal law enforcement officials to share airline-passenger information, like name and payment data, across national borders for up to five years in an attempt to curb terrorist activity. “It is one all EU governments and indeed the U.S. government have requested as a very important tool to tackling terrorism,” said U.K. MEP Timothy Kirkhope. Critics in the Green Party disagree. “This EU PNR system is a false solution, based on the flawed political obsession with mass surveillance,” said Green MEP and Home Affairs spokesman Jan Philipp Albrecht in a statement. [EUobserver]

UK – CJEU Hears Case on British Data Retention Laws

The EU’s highest court will hear a legal challenge this week concerning the validity of UK data retention laws. In July last year the High Court in London ruled that DRIPA was incompatible with human rights legislation but that decision was appealed by the UK government to the Court of Appeal. The Court of Appeal has asked the CJEU to rule on whether its previous judgment on the Data Retention Directive sets out “mandatory requirements of EU law applicable to a member state’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the EU Charter”. [Source]

EU – Belgian DPA Advises Data Controllers to Have Detailed Cloud Contracts

The Belgian data protection authority issued guidelines for data controllers contracting with cloud service providers regarding compliance with the Data Protection Act. Provisions should include requirements that the provider only process the data upon the controller’s instructions and obtain controller approval for all subcontractors, and a list of the physical locations where the processing takes place for the duration of the contract. [DPA Belgium – Opinion No 10/2016 – Use of Cloud Computing for Data Controllers]

Facts & Stats

CA – Reporting of Government Privacy Breaches Varies Widely

Federal government departments breached the privacy of more than 45,000 Canadians last year but only a small fraction of those breaches were ever reported to Canada’s Privacy Commissioner. Moreover, the proportion of breaches reported to the Privacy Commissioner’s office varied widely from one department to another. For example, while the Justice Department reported 80% of the breaches it discovered, the agency with the largest number of breaches – the Canada Revenue Agency – only revealed less than 1% of its 3,868 breaches to Privacy Commissioner Therrien’s office. While departments are not required to notify Therrien of every breach that occurs, last year he was only notified about 5.3% of the 5,853 privacy breaches discovered by departments. See Chart: Privacy breaches reported to privacy commissioner. [Source] [Document: Order/Address of the House of Commons] [Feds made 5,670 privacy breaches last year; CRA worst offender] [Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Transfer of Information to the United States Internal Revenue Service (IRS) ] [Ottawa open for comments on proposed breach notification regulations]

CA – Half a Billion Identities Were Stolen or Exposed Online in 2015

500 million identities were stolen or exposed online in 2015 according to a report by digital security firm Symantec. The report also revealed that the amount of malware online increased by 36%, with 430 million new pieces of malicious code being created in 2015. Ransomware attacks are also on the increase, with 35% more attacks than the previous year. The UK ranked as the most targeted nation for spear-phishing campaigns that attempt to steal data by targeting employees within a specific organisation. This type of attack increased by 55% in 2015. We’re also beset upon by fake technical support scams and social media fakes, with the UK being the second most targeted nation globally in both categories. Symantec drew particular attention to the increased number of zero-day vulnerabilities in 2015. It identified 54 zero-day vulnerabilities in 2015, the majority of which existed in widely-used pieces of software. Four out of the five most exploited zero-day vulnerabilities were found in Adobe’s much-maligned Flash Player. On average, each data breach exposed more than 1.3 million identities, but Symantec identified nine ‘megabreaches’ – the leaking of over 10 million records in a single attack – in 2015. [Source] [BBC] See also: [The seven types of e-commerce fraud explained]

CA – Hamilton Using Google Maps to Enforce Bylaws

Since 2002, Hamilton city officials have been quietly collecting aerial photographs that allow enforcement staff to investigate breaches of bylaws, especially the requirement that homeowners acquire a building permit before building a deck or some other construction project. Images from past years can be compared to get an idea when a deck, pool or addition was built. If the structure wasn’t there one year, and appeared the next, it means it was built sometime in between. But Jorge Caetano, the manager of plan examination in the city’s building division, says the information is never used to go on fishing expeditions for violators. It’s only consulted after the city receives a complaint. “We use it as a tool. We don’t use it in place of going there in person to investigate, to see the property,” he said. “At this point, we don’t base enforcement on aerial photographs. We would have to go out there physically and inspect the property. We still have to carry out the proper investigation.” He said information from past aerial photographs could be consulted to verify whether a structure has been there for many years and was, say, built by a former owner. A spokesperson from the IPC Ontario said the use of aerial maps would not appear to violate privacy rules: “As defined in Ontario privacy legislation, personal information means recorded information about an identifiable individual. Several IPC decisions have found that information about properties and businesses does not qualify as personal information as it does not reveal something of a personal nature about identifiable individuals.” [Source]


CA – CRA Should Notify People When Their Bank Records are Shared: Therrien

The CRA should automatically notify individuals when it shares their banking information with the U.S. IRS under a controversial information sharing agreement, says Canada’s Privacy Commissioner. Testifying before Parliament’s Access to information, Privacy and Ethics committee Daniel Therrien said there is no reason for the CRA not to advise people when their information is transferred. “Can it be realized? It is certainly an effort but we know that the government wants to facilitate access to data by citizens so it seems to me that would be a move that would fit in that objective.” Therrien said there are likely electronic ways to notify people when the CRA shares their banking information with the U.S. Therrien said he is also concerned that Canada’s banks and the CRA may be over reporting the number of people considered “U.S. persons” under the information sharing agreement. While the CRA originally estimated that the deal it signed would result in it sending 30,000 to 90,000 banking records to the IRS, it ended up sending 155,000 records. [Source]

US – Insurance Coverage for ‘Malicious Insider’ Breach Depends on Policy Wording

With most data now stored electronically, businesses are facing new challenges in relation to data retention and keeping it secure and safe. Bespoke cyber insurance policies and, increasingly, data protection coverage as part of a general commercial liability policy will generally cover both first and third party liabilities in the event that anything happens to that data – but how will these policies respond in the face of deliberate or criminal behaviour by an employee who decides to release data to harm either colleagues or the business? As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees. It is important, therefore, for both insurers and the insured to ensure that policy wordings reflect the regulatory framework surrounding data breaches, as well as the specific types of claim that are likely to arise as a result. In the absence of specific wording, insurers may be able to reject claims arising out of deliberate data breaches by disaffected employees. .As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees. It is important, therefore, for both insurers and the insured to ensure that policy wordings reflect the regulatory framework surrounding data breaches, as well as the specific types of claim that are likely to arise as a result.

CA – Privacy Law Gives Insurers a Boost in the Battle Against Fraud

With amendments to federal privacy laws last year, group benefits providers are facing a host of new consent and disclosure-related obligations that can offer helpful tools or signal potential headaches. Bill S-4, the Digital Privacy Act, came into force in June 2015. It amended PIPEDA to include new provisions around obtaining consent, disclosing information without consent and mandatory breach notification. For group benefits providers, the most positive development is likely the new provision that will help them fight fraud by allowing for increased disclosure of information without consent in certain cases. Before the amendment, insurers had to obtain the consent of anyone they had a contract with before disclosing their personal information even if that person was suspected of involvement in fraudulent activity. Many of the amendments also create consistency with privacy legislation in Alberta and British Columbia. Industry efforts will include helping insurers to consider ways to share claims data in order to identify fraud trends that the association says can be hard to pinpoint when each provider is working independently. [Benefits Canada] See also: [Out-Law: Insurance Coverage for ‘Malicious Insider’ Breach Depends on Policy Wording]


US – Microsoft Sues Justice Department over ECPA Gag Orders

Microsoft is suing the Justice Department for its frequent use of gag orders that prevent the company from telling users when the government has obtained a warrant to search their emails. Microsoft claims the gag order statute in the Electronic Communications Privacy Act is unconstitutional and violates both the First and Fourth Amendments. In its suit, Microsoft argues that the government has “exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.” Brad Smith, the company’s top legal advisor, said, “People should not lose their rights just because they are storing their information in the cloud.” The House Judiciary, earlier this week, unanimously passed a bill that would reform parts of the ECPA. [The New York Times] [Microsoft Corporation Delivers a Reality Check to the U.S. Government – Microsoft Corporation Challenges the Government] [Microsoft Sues Justice Department to Protest Electronic Gag Order Statute]

US – Making Records Accessible on the Internet is a “Publication” –Federal Court

A federal appeals court upheld a ruling against insurance firm Travelers Indemnity Company of America, saying, under the terms of a commercial general liability policy, the company should have defended a client in a lawsuit resulting from an electronic data breach. Travelers was found by a three-judge panel in the 4th U.S. Circuit Court of Appeals in Virginia to have failed to prove its two CGL policies with its client, Portal Healthcare Solutions, excluded the defense of a 2013 class-action lawsuit filed when Portal publicly posted the records of Glens Falls Hospital patients. The trial court summarily rejected the argument that because Portal Healthcare had not intended to release the information, there was no “publication,” stating that “the issue cannot be whether Portal intentionally exposed the records to public viewing since the definition of ‘publication’ does not hinge on the would-be publisher’s intent.” Importantly, the court also rejected the argument that because no one had read the records, there was no “publication.” On appeal, the Fourth Circuit “commended” the trial court for its “sound legal analysis,” but did not add more, including on the scope of the term “publication.” The ruling goes against decisions in Connecticut and New York where CGL policies were determined not to cover damages from cyberattacks. “I think it’s a shocker to CGL insurers to see a decision like this,” said a research analyst. “CGL insurers don’t really think that they should be on the hook for this type of claim. They see this as a cyber and privacy claim, not a general liability claim.” [SC Magazine] [Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 14-1944 (4th Cir. Apr. 11, 2016)] [Source] [Court Opinion] [Appeal] [Federal Court Rules CGL Insurance Covers Data Breach] [4th Circuit affirms Travelers v. Portal Healthcare breach decision]

CA – BC Judge Calls for Restrictions on Court Database Searches

Thomas Crabtree, Chief Judge of the BC Provincial Court, wants restrictions placed upon searches for individuals who were ultimately not convicted of a crime. Crabtree declared a consultation regarding Court Services Online, an online database providing access to criminal records in the Provincial Court. Crabtree believes individuals who weren’t convicted of a crime should not be stigmatized, and cases ending in acquittals, dismissals and withdrawals will only be available in the database in the 30 days after the information is entered. Media outlets are displeased, believing court records should be fully open. “On balance, the need to protect individuals who have not been convicted from misuse of court record information outweighs the desirability of broad online public access to information about such cases and the individuals affected,” Crabtree wrote in a statement. [The Globe and Mail]

US – NSA appoints First Transparency Officer

The National Security Agency has appointed current Civil Liberties and Privacy Director Rebecca Richards as its first ever transparency officer. An NSA announcement states her dual role “complements ongoing initiatives to ensure that NSA has the best civil liberties and privacy practices.” The new role will serve under the Office of the Director of National Intelligence’s Intelligence Transparency Council, which aims to make “information publicly available in a way that enhances understanding of intelligence activities, while continuing to protect information when disclosure would harm national security.” [The Washington Times]

Health / Medical

CA – GPEN Launches 2016 “Internet of Things” Global Privacy Sweep

The Global Privacy Enforcement Network will focus their 2016 Global Privacy Sweep around the Internet of Things. The group, made up of data protection authorities from around the world, including the IPC, will specifically look into the accountability practices of IoT companies during this year’s Sweep. Regulators participating in the event — taking place April 11 through 15 — will examine the privacy practices of various devices, ranging from wearables to smart TVs. The OPC says it will investigate health devices. The IPC is surveying two dozen class 2 medical devices available for sale in Ontario. DPAs will have the flexibility to focus on actual products taken right off the shelf, by investigating statements on company websites, or by directly connecting with a manufacturer. [Office of the Privacy Commissioner of Canada] [Privacy watchdog to study impact of personal Internet devices]

UK – 15,000 Expectant Parents’ Info Compromised

The personal information of more than 15,000 expectant parents was compromised after hackers breached the National Childbirth Trust. The NCT alerted users of the breach, which exposed information including email addresses, usernames and encrypted passwords. No sensitive personal or financial information was accessed in the incident. The cyberattack has been reported to both the police and the U.K.’s data protection authority. A spokesman for the NCT said the organization reached out to affected individuals, advising them to change their usernames and passwords. NCT also posted information on their Facebook page about the hack, while also sending a message on social media telling users their website may face further disruptions. [The Telegraph]

Horror Stories

US – FDIC Breach of 44,000 Customers Caused by Storage Device

A former employee of the Federal Deposit Insurance Corp. (FDIC) departed the agency with a storage device that contained data and information involving 44,000 FDIC customers. A former FDIC employee departed the agency with a storage device that contained data and information involving 44,000 FDIC customers. While FDIC Chairman Martin J. Gruenberg said in a March 18 memo that the data was downloaded to the storage device “inadvertently and without malicious intent,” the device included customer names, addresses and Social Security numbers, according to a media report. The former employee signed an affidavit indicating the breached information was not used, the representative noted. [Source]

Identity Issues

CA – BC Law Firm’s Request for ID is Contrary to PIPA

The BC OIPC mediated a complaint from an individual who was asked to produce identification during a free initial consultation with a law firm. PIPA prohibits businesses from collecting more information than is required (a law firm requested ID from a potential client to comply with money laundering legislation, however confirmed that the law society did not require this collection when providing free services). [Potential Client Questions Law Firm Demand for Identification (P16-06-MS)]

CA – CAI PQ Reminds Landlords They May Only Collect Limited Contact and Credit Related Information from Prospective Tenants

The Commission d’accès à l’information du Québec issued reminders to landlords regarding privacy issues in light of July 1st, the traditional “moving day” in Quebec. A landlord may request a prospective tenant’s name and current full address, may ask to see ID, collect the name of a previous landlord, and perform a credit check (with tenant consent); the landlord may not collect data from a health card, driver’s license or passport, and should not request a SIN, employment or salary information, car details (e.g. brand, colour, or license plate number), or details of the tenant’s financial institution. [CAI PQ – Leases and Personal Privacy Principles and Guidelines To Be Respected]

Internet / WWW

WW – New Guidelines Help Cloud Providers Handle Data Breaches

Technology law specialist Bryan Tan discusses new guidelines in Singapore designed to help cloud providers and their business clients handle data breaches while following the country’s data protection regime. According to the new guidelines released by the Infocomm Development Authority of Singapore, the cloud outage incident response rules “are not meant to resolve issues due to cybersecurity, malicious act or breach of personal data protection laws.” The cloud outage incident response, or COIR, guidelines explain how the standards work with Singapore’s Personal Data Protection Act when a data breach occurs, discussing security arrangements to protect personal data, and ensuring security measures are compliant with the PDPA. COIR advises cloud providers on assessing and planning for outages, encouraging for response plans for any incidents, while also structuring the severity of the attacks into a four-tier system. [Full Story]

WW – Box to Let Overseas Customers Store Files Locally in Privacy Bid

Box is trying to lure international customers, offering overseas clients concerned about privacy the option to store information locally in cloud datacenters belonging to Inc. or IBM Corp. Starting in May, Box Zones will give customers the choice of locating their files in Germany, Ireland, Japan, and Singapore. The company plans to add more regions in the future, said CEO Aaron Levie, and is looking at further choices in Europe and Asia as well as adding Australia and Latin America. Customers, particularly in some parts of Europe and South America, face laws that require certain types of data to be stored in their country or have strong preferences for that. Storage closer to the customer can also speed up computing. Box runs data centers in the U.S. but didn’t want to incur the costs of building out internationally to attract these customers, and it’s cheaper to pay Amazon and IBM to use their facilities, Levie said. [Source]

Law Enforcement

CA – Report: Canadian Police Have Had BlackBerry Encryption Key Since 2010

The Royal Canadian Mounted Police (RCMP) have had a key to access encrypted BlackBerry messages since 2010, a joint report from Vice News and Motherboard found. According to the report, the RCMP first obtained the key in 2010 as part of an investigation into a series of violent crimes committed between 2010 and 2012. The investigation, dubbed Project CLEMENZA, resulted in the take down of two Italian-based organized crime cells in June 2014. Over the course of the investigation, the RCMP said it read more than one million private messages sent by members of the cell using a PIN to PIN interception technique. The RCMP said the investigation was the first time the encryption-breaking technique was used on such a large scale in a major investigation in North America. Court documents obtained by Vice Canada show the RCMP has a server in Ottawa – called the “Blackberry interception and processing system” – that cracks messages by simulating a mobile device that receives messages as though it were the intended recipient. The documents cite the RCMP’s use of the “correct global key” in decrypting the messages, though the documents do not specify how police obtained the key. [WirelessWeek] [Canadian Law Enforcement Can Intercept, Decrypt Blackberry Messages]

EU – Danish DPA Finds License Plate Information Retained Longer Than Necessary

The Data Protection Authority in Denmark investigated the processing of personal data by a parking lot company pursuant to the Act on Processing of Personal Data. The company retained license plate information on individuals for 15 months (for those exiting within the free parking period), and 5 years (for individuals that made correct payments, and those that did not pay); information for individuals not required to pay and individuals that have provided correct payment should be deleted without delay, and information for individuals that have not paid should be retained until a payment is made or a claim has been settled. [DPA Denmark – File No. 2015-631-0122 – Registration of License Plates in Parking]

CA – Chatham PD Registry of “Vulnerable” People 10% of Population

The Chatham-Kent Police Service is creating a registry of people considered to be vulnerable, through a voluntary online registry service. Data available to police would be submitted by a legal guardian or caregiver to be used by police should they need to interact with or search for them. Chief Gary Conn said the Vulnerable Persons Registry will be implemented with the service through a new online program they purchased called COP Logic. “In two to three weeks it will be soft-launched, so probably at the end of April or beginning of May,” said Conn, who also called the registry, “another investigative tool in our tool kit.” Conn added, “The advantages of the system are pretty self-evident.” He said the information in the vulnerable persons registry could be used, for example, if someone goes missing. If that person’s profile shows they have an attraction to certain places, it could mean finding them more quickly. People who may benefit from listed with the registry would include those who wander, have an inability to communicate, have fascinations or attractions to places of possible danger such as water or construction sites, or who have social responses such as aggression or fear of the police. When police receive a call involving a registered person or flagged address, the responding officers are notified and given the information contained in the registry to help them in responding more effectively to the situation. Acknowledging that the definition of “vulnerable” is a broad one, Conn said up to about 10,000 people in Chatham-Kent – nearly one-10th of the entire population – might meet the mandate of the definition. The information that will be contained in the registry will be treated as confidential by officers, subject to the Personal Health Information Protection Act, and will be used when responding to incidents or investigations involving the registered person. [Source]

Online Privacy

WW – Study: Shortened URLs Not As Private As You Think

In a paper released April 14, researchers at Cornell Tech outlined how Google,, and Microsoft’s shortened URLs can be “brute-forced” by hackers to access and manipulate so-called “private” sites. “With a decent number of machines you can scan the entire space,” said Cornell Tech’s Vitaly Shmatikov. “You just randomly generate the URLs and see what’s behind them.” Once the process is complete, “online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone,” the researchers said in their report. “This leads to serious security and privacy vulnerabilities.” [Wired]

WW – Google Unveils Privacy-Protective Beacon

Seeking an answer to Apple’s iBeacon, Google released new information on its open-source beacon format Eddystone. Eddystone has four different frame types, one for identifying other beacons, a second to send URLs to other devices, and a third that sends diagnostic data on a user’s phone. The fourth option, the Ephemeral Identifiers mode, offers a secure connection between the beacon and user. The EID is the only format to keep device information private and can be used to act as a Bluetooth tracker to locate various objects, like car keys. No identifiable or traceable information is available outside the connection as EIDs are equipped with a constantly changing identifier that alters the beacon ID — anywhere from a couple of seconds to hours at a time — making it difficult for third parties to capture any usable information. [Ars Technica]

WW – How Should Crowdfunding Platforms Deal With Privacy?

Crowdfunding has seen explosive growth, both domestically and globally, in the past few years. As the industry continues to mature, U.S.-based crowdfunding platforms are beginning to find that privacy considerations deeply impact their business. Aside from the usual considerations facing traditional financial service companies, crowdfunding platforms must be conscientious in the type of borrower or sponsor data they choose to display to investors on their website. Depending on the particular measures employed to protect the individual’s identity, the website may end up publishing very sensitive information in violation of strong public policies in favor of identity protection. [Privacy Advisor]

US – NAI Members’ Privacy Practices Up to Snuff: Study

The Network Advertising Initiative published its 2015 Annual Compliance Report, compiled by NAI Counsel and Director of Compliance Anthony Matyjaszewski. The report studied its “members’ adherence to the NAI Code of Conduct,” and found NAI members “­met their obligations under the provisions of the code and demonstrated their commitment to consumer privacy and industry best practices.” The NAI’s Noga Rosenthal said, “NAI is set apart in the industry by its high standards for Internet­-Based Advertising and related business models, and our robust monitoring program that ensures compliance with these standards. The 2015 Compliance Report shows that member companies continue to take their obligations under the code seriously.” [Network Advertising Initiative]

WW – As Friend Network Grows, Facebook Sharing Decreases

Facebook is trying to combat a growing lack of “personal sharing” that occurs as social media users’ friend groups increase and a sense of online intimacy diminishes. The trend of sharing news articles instead of personal status updates has led to what insiders dub a “context collapse,” with “original sharing” of personal anecdotes down 21% since mid-2015, the report states. Instead, users are employing outlets like Instagram and Snapchat to share, where their audience is comparatively small. Facebook’s newer “On This Day” feature is an attempt to combat the trend, the report adds. Meanwhile, a forthcoming Chrome extension, “Data Selfie,” will let users see their data profile as Facebook and other advertisers do, Motherboard reports. [Bloomberg Technology]

Privacy (US)

US – FTC Accepting Research Proposals for 2016 Events

The FTC is accepting proposals via public comment from privacy researchers for its upcoming PrivacyCon and Fall Technology Series events. The FTC’s 2016 focus is on research papers that “quantify consumers’ privacy and security interests, discuss attack trends and responses, and describe research on transparency and control,” the report states. “It is extremely valuable for us to hear from privacy and security researchers about their work,” the report continues. “This helps us stay up-to-date with technology and identify potential areas for investigation and enforcement.” The FTC will accept PrivacyCon submissions until Oct. 3. [Source]

US – Uber to Pay Up To $25M in Driver Background Checks Lawsuit

Uber has settled a civil lawsuit with the district attorneys of L.A. and San Francisco over claims the company deceived customers on its safety practices and driver background checks. In papers filed in a U.S. District Court, Uber will pay $5 million to each of the district attorneys and faces an additional $15 million fine if the terms of the settlement aren’t met within two years. Additionally, the safety-related language Uber uses around the ride fees must be reworded. The lawsuit claimed Uber overstated safety measures used to screen drivers, only requiring a driver pass a background check carried out by a third-party service. [The New York Times]

US – Lawsuit: Seattle Compost Ordinance Is Rotten

A Seattle ordinance that bars people from throwing their coffee grounds, pizza scraps and other potential compost into their trash cans is being challenged by critics who say the liberal city is turning garbage collectors into trash investigators. A group of homeowners has sued the city over the tactic, claiming it violates privacy protections provided by the state Constitution. The rule that went into effect early last year requires trash collectors to tag garbage cans that contain more than 10% compostable material with educational information. The tactic is projected to divert as much as 38,000 tons of extra food waste from a landfill every year. Several other cities have passed similar food waste laws, including Vancouver, B.C., San Francisco and Portland, Oregon. Lawyers for the homeowners cited a case that was argued in front of the Washington Supreme Court in which Port Townsend police searched a man’s garbage for evidence that he was selling drugs after the trash was placed on a curb. The court ruled police needed a warrant to search the rubbish, even if it was in plain view near the sidewalk. Homeowners also presented an affidavit from someone claiming they were tagged for compost violations twice when their trash had been secured in black plastic bags, suggesting collectors opened the bags to search for compost. [Source]

US – Uber has Given US Agencies Data on More than 12 Million Users

Uber has released its first ever transparency report. More than 12 million riders and drivers were affected by regulators’ data demands between July and December 2015. The fact that regulators are doing the demanding is what makes the number so big. Uber’s the first company, it claims, to include regulatory requests. Uber says the reason it’s including regulatory requests is that its business is “different.” Besides regulatory data, Uber provided data on 469 users to state and federal law agencies. The agencies requested information on trips, trip requests, pickup and dropoff areas, fares, vehicles, and drivers. It got 415 requests from law enforcement agencies, the bulk of which came from state governments. It produced data in nearly 85% of these cases. Uber used the transparency report release to push back against regulatory agencies that it thinks could compromise users’ privacy by going after more data than necessary. From the Medium post: In many cases they send blanket requests without explaining why the information is needed, or how it will be used. And while this kind of trip data doesn’t include personal information, it can reveal patterns of behavior  –  and is more than regulators need to do their jobs.It’s why Uber frequently tries to narrow the scope of these demands, though our efforts are typically rebuffed. This isn’t the first time Uber has wrangled with the California Public Utilities Commission (CPUC) over rider and driver data. In January, the CPUC fined Uber $7.6 million for failing to meet data reporting requirements in 2014. The CPUC was after data about accessible cars, the number of rides requested and accepted per ZIP code, and driver safety information. [Source]


UK – Brits Suffer More than 2,000 Ransomware Attacks Each Day

DON’T PANIC but the amount of cyber crime bashing the UK is increasing, at least according to Symantec and one of its regular round robin threat missives. The Symantec 2016 Internet Security Threat Report warned that threats are rising in several areas. The firm logged an international increase of 35% in crypto-ransomware attacks, the UK taking the third largest chunk with up to 2,215 attacks a day. Some of the best advice from the security community is to use strong passwords, a suggestion Symantec makes in its summaries and guidance information. The security firm said that the enemy is now more organised than ever before, and that most groups have the same kind of resources, skills and support as nation-state hacker groups. “ [The Inquirer]

Smart Cars / IoT

US – NTIA Begins Internet of Things Consultation

The National Telecommunications and Information Administration (“NTIA”) has initiated an inquiry regarding the Internet of Things (IoT) to review the current technological and policy landscape; NTIA is seeking input from interested stakeholders on the potential benefits and challenges of these technologies and what role, if any, government should play – comments are due before May 23, 2016. [Source]


CA – RCMP Being Investigated Over Controversial Spy Tech

An OPC spokesperson confirmed that it has opened an investigation into the RCMP’s use of IMSI catchers, or “StingRays.” These devices are essentially fake cell phone towers that force phones in the vicinity to connect and reveal identifying information. The use of such devices has been the topic of much heated discussion and public debate in the US. The Florida Supreme Court ruled that the warrantless use of StingRays by police is unconstitutional in 2014. StingRays are controversial because they target devices within a certain area, and thus risk violating the privacy of innocents. A leaked email from Correctional Services Canada last year indicated that an unnamed, StingRay-like device was installed in an Ontario prison to monitor inmate communications, but also caught innocent people outside the facility in the dragnet. “These are fundamentally tools of mass surveillance,” said David Christopher of OpenMedia, the organization that filed the privacy complaint that spurred OPC’s investigation. Canadian police have been extraordinarily unforthcoming when it comes to the use of IMSI catchers, or StingRays. Last month, seven men accused in a Quebec court case relating to a mafia slaying pleaded guilty, but not before the RCMP was forced to reveal in open court that they had used a so-called “mobile device identifier”—the RCMP’s term for IMSI catchers—in the course of their investigation. The end of the case meant that the RCMP will reveal no more information about its use of IMSI catchers in court. In BC, Vancouver police are embroiled in a public battle to keep the details of their use of IMSI catchers secret. [Source] See also: [Feds back RCMP secrecy on possible use of ‘stingrays’ for surveillance] [Privacy watchdog to investigate RCMP over alleged ‘stingray’ cellphone surveillance]

US – Bill Permits Government Use of Automatic License Plate Reader Systems

HB 93, An Act to Amend Article 1 of Chapter 1 of Title 40 of the Official Code of Georgia, has passed the House and is tabled in the Senate. Law enforcement agencies are permitted to store (immediately upon collection) and exchange license plate data; the data cannot be accessed except for a law enforcement purpose, must be destroyed no later than 1 year after collection, and policies and procedures for use and operation of an automated license plate recognition system must be maintained. [HB 93 – An Act to Amend the Georgia Code to Prohibit Law Enforcement from Retaining License Plate Data Obtained from License Plate Recognition Systems]

Telecom / TV

US – California Says No to Phone Decryption Bill

A California bill that aimed to punish companies for making smartphones that can’t be cracked has failed. The bill, introduced by assembly member Jim Cooper was introduced in January and required any smartphone sold in California to have the ability to be decrypted. It was “rejected without a vote,” the report states. “The bill, both before and after it was amended, posed a serious threat to smartphone security,” said Rainey Reitman of the Electronic Frontier Foundation. “It would have forced companies to dedicate resources to finding ways to defeat their own encryption or insert backdoors to facilitate decryption.” [ZDNet]

WW — Google Changes App Developer Rules

Aiming to improve privacy and mitigate risk, Google has released a new set of users’ data policy rules for its Chrome Web Store. Developers will be required to publish a privacy policy and use encryption for sensitive or personal information, the report states. And if sensitive data is being collected for a reason that isn’t directly related to an app feature, a prominent disclosure is required, separate from the privacy policy. The change comes following the passage of the GDPR, which requires “clear and affirmative consent” when processing personal data, the report states. Google says developers have until July 14 to makes the necessary changes to comply. [ZDNet]

US Government Programs

US – Privacy Orgs Encourage FCC to Ignore Comment Extension Requests

The Center for Digital Democracy, Electronic Privacy Information Privacy, and eight additional agencies have asked the FCC to disregard the Association of National Advertisers’ request to extend the evaluation time of the FCC’s new behavioral advertising regulations. The ANA’s wish for a request for a 60-day deliberation extension is “unwarranted,” as “the public has long had notice of many of the questions the FCC would attempt to address in this proceeding,” the groups said in a letter to the FCC. “This issue is extremely important and timely. In order to protect consumers without undue delay, the FCC should decide it as quickly as possible.” [MediaPost] [Association of National Advertisers seeks extension for comments on FCC’s broadband rule]

US Legislation

US – Draft Crypto Bill Criticized as “Ludicrous, Dangerous, Technically Illiterate”

US senators have introduced legislation that would require technology companies to comply with requests from law enforcement to unlock encrypted devices. A “discussion draft” of the bill was leaked last week. It has been criticized for weakening security and hindering competitiveness. The bill requires compliance with court orders for information, and if the information is “unintelligible,” the bill requires that the information be made “intelligible.” [Wired] [SC Magazine] [CNET] [InformationWeek]

US – House Bill Would Require Verification of Identification to Purchase Pre-Paid Mobile Devices

H.R. 4886, Closing the Pre-Paid Mobile Device Security Gap Act of 2016, was introduced in the House of Representatives and referred to the Committee on Energy and Commerce. Authorized resellers of mobile devices and SIM cards would be required to collect identifying information at time of purchase and share the information with the device’s wireless carrier; failure to comply with these provisions can result civil penalties of $50 for each separate offense. [H.R4886 – To require purchasers of pre-paid mobile devices or SIM cards to provide Identification]

Workplace Privacy

CA – Secret Video Surveillance Allowed In Ontario Dismissal Case

In a preliminary award, an Ontario arbitrator allowed covert video surveillance footage to be used as evidence in a wrongful dismissal grievance. The complainant, Mr. Donnelly, was one of three elementary school custodians dismissed for allegedly smoking marijuana, adjacent to school grounds during working hours. The wrongful dismissal case between Ottawa-Carleton District School Board and Ontario Secondary School Teachers’ Federation, District 25 (Donnelly Grievance) was mediated by Arbitrator Knopf. The three dismissed custodians were reported by a fellow employee who maintained alleged marijuana use and trafficking, while at work. Following the report, the Board’s Director of Human Resources sought approval to hire a private security company to conduct covert video surveillance. The surveillance team was strictly instructed to record only illegal drug use within the vicinity of the school. Following such footage being obtained, the complainant was reprimanded and his employment terminated by the Board. In Donnelly’s defence, the union highlighted the failings of the surveillance footage in adhering to the Board’s policies and procedures. The union maintained that the security company had failed to deliver the video evidence in a secure manner, without proper documentation of the approval process. They argued the video evidence be inadmissible, as policy permitted video surveillance, only to enhance safety, protect property or identify intruders, and not to collect dismissal evidence. Furthermore, they contended such covert video surveillance should only be used as a last resort, which this was not. Privacy rights were taken into account when assessing the admissibility of the video footage, however, Arbitrator Knopf accepted the evidence in light of the management’s right to provide a safe workplace. She decided this was a last resort situation, and the former employee had a low expectation of privacy since he allegedly performed illegal drug use and trafficking in a public space, while at work, and wearing a work uniform. She said that the Board had a reasonable basis to carry out the surveillance, amid credible allegations of illegal behaviour on school grounds. [Source] See also: [Ireland CCTV images of illegal dumpers raise privacy concerns: Data Protection Commissioner contacts Dublin City Council over litter poster]

CA – Tribunal Denies Request by Employer to Submit Surreptitiously Obtained Evidence from Employee’s Social Networking Account

A Quebec labour tribunal considered an appeal of an earlier decision, including a request to consider evidence from an employee’s social networking site. The employer obtained the social networking profile content through the deceptive actions of an unknown third party, and it is not the first occasion on which the employer has done so; the employer has not demonstrated sufficient grounds to justify such an invasion of privacy (i.e. a serious purpose that would appropriately allow the employer to discover dishonest content of the employee’s Facebook page, without the employee’s knowledge). [Maison St-Patrice Inc. v. Julie Cusson – 2016 QCTAT 482 – Administrative Labour Tribunal]

CA – Best Practices: OPC Guidance on Handling Employee “Snooping”

The OPC guides entities on addressing inappropriate employee access to personal information. Organizations must set clear expectations with their employees (through clear communication concerning snooping, its harm and consequences), monitor for unauthorised access to records (audit access logs), and be prepared to respond appropriately when snooping is discovered (conduct of investigation, mitigate harm to affected individuals, and include disciplinary action). [OPC Canada – Ten Tips for Addressing Employee Snooping]

AU – New Legislation Allows Companies to Surveil Suspicious Employees

New Australian legislation allows employers to watch their employees outside of the workplace if there’s suspicion of unlawful activity tied to their job. The law covers 160,000 Canberra workers, UnionsACT Chief Alex White said. “If someone has done the wrong thing, if they are breaking the law or engaging in criminal activity, the appropriate agency to investigate that is the police, it’s not the employer or insurance company,” said White. Justice Minister Shane Rattenbury said strict safeguards are enacted to ensure workers have a right to privacy. “There are important safeguards there with the requirement for a magistrate to permit any sort of surveillance that is undertaken,” said Rattenbury. “We also worked very closely with the Human Rights Commission to make sure that these rights, these new powers, were compliant.” [Full Story]


01-08 April 2016


IN – Indian Gov’t Biometric Database at One Billion-Person Mark

India’s biometric database notched up one billion members this week, as the government sought to allay concerns about privacy breaches in the world’s biggest such scheme. India is home to 1.2 billion people. The database was set up 7 years ago to streamline benefit payments to millions of poor people as well as to cut fraud and wastage. Under the scheme, called Aadhaar, almost 93% of India’s adult population have now registered their fingerprints and iris signatures and been given a biometric ID. IT minister Ravi Shankar said the initiative had enabled millions to receive cash benefits directly rather than dealing with middlemen. He said the government had saved 150 billion rupees ($2.27 billion) on its gas subsidy scheme alone – by paying cash directly to biometric card holders instead of providing cylinders at subsidised rates. He also said all adequate safeguards were in place to ensure the personal details of card holders could not be stolen or misused by authorities given access to the database. His comments come after parliament passed legislation giving government agencies access to the database in the interests of national security. It was passed using a loophole to circumvent the opposition in parliament, where the ruling Bharatiya Janata Party (BJP) lacks a majority in the upper house. [Agence France-Presse]

JP – Fingerprints to be Tested as ‘Currency’ in Japan

Starting this summer, the Japanese government will test a system in which foreign tourists will be able to verify their identities and buy things at stores using only their fingerprints. The government hopes to increase the number of foreign tourists by using the system to prevent crime and relieve users from the necessity of carrying cash or credit cards. It aims to realize the system by the 2020 Tokyo Olympic and Paralympic Games. The experiment will have inbound tourists register their fingerprints and other data, such as credit card information, at airports and elsewhere. Tourists would then be able to conduct tax exemption procedures and make purchases after verifying their identities by placing two fingers on special devices installed at stores. The Inns and Hotels Law requires foreign tourists to show their passports when they check into ryokan inns or hotels. The government plans to substitute fingerprint authentication for that requirement. A total of 300 souvenir shops, restaurants, hotels and other establishments will participate in the experiment. They are located in areas that are popular among foreign tourists. The government plans to gradually expand the experiment by next spring, to cover areas including tourist sites in the Tohoku region and urban districts in Nagoya. It hopes to realize the system throughout the country, including Tokyo, by 2020. [Source]


CA – CSE and CSIS Looking to Work Together, Say Top Secret Documents

Canada’s top two intelligence agencies looking for new ways to work together, while review bodies remain in silos. The heavily censored documents were sent by CSE chief Greta Bossenmaier and CSIS director Michel Coulombe to Richard Fadden, the national security adviser to the prime minister, in August 2015. Fadden was both a former director of CSIS and the former top bureaucrat at National Defence, which is responsible for CSE. Bossenmaier and Coulombe suggest the two agencies are trying to “leverage (CSE’s) Mandate C authorities,” and set up a working group to “maximize opportunities for operational collaboration.” That could spell trouble for the small group of independent watchdogs reviewing the spy agencies’ activities. Both Security Intelligence Review Committee and the CSE Commissioner’s office can review their respective agencies but can’t conduct joint investigations or see the big picture. [The Star]

CA – Liberals Postpone Full Access-to-Information Reform to 2018

The Liberal government says a full review of the outdated Access to Information Act will have to wait another two years. A comprehensive examination of the access law will begin in 2018, Treasury Board President Scott Brison said. Meantime, the government plans to introduce legislation as soon as this year with quick fixes to the law, based on promises the Liberals made during the election campaign and consultations already under way. The promised changes include giving the information commissioner the power to order government records to be released and ensuring the access law applies to the offices of the prime minister, his cabinet members and administrative institutions that support Parliament and the courts. A Commons committee recently began a study of the Access to Information Act, which has not been substantially updated since it took effect almost 33 years ago. In addition, the government began a public consultation on transparency on Tuesday. People can go to to offer their views on what should be in the next federal strategy on open government. Officials will also hold in-person discussions across the country and the resulting plan is to be released this summer. [Source] See also: [Canadian officials requested to meet with Information Commissioner Suzanne Legault in order to find “a mutually satisfactory resolution” to a constitutional challenge to a law that protected Mounties after they destroyed data]


US – FCC Exploring Supercookie Ban in Verizon Case

As part of the FCC’s proposal to require ISPs to gain consent before tracking consumers’ online behavior for ad purposes, it is also considering banning certain tracking technologies. The FCC is seeking comment on “whether the use of persistent tracking technologies may expose … customers to unique privacy harms and as such, whether the Commission should prohibit (Internet service) providers from employing such practices.” More specifically, it would like to know whether the technologies should require some form of customer consent, and whether the technology, or banning it, has benefits for consumers. [Full Story]

EU – Group of 75 Consumer Orgs Comes Out Against Shield

Trans Atlantic Consumer Dialogue, a collection of 75 consumer-rights groups based in the U.S. and Europe, issued a statement today urging the European Commission “not to adopt the Privacy Shield.” The group criticized the potential adequacy agreement for being a “self-declared, self-regulatory system, which will be adhered to by a limited number of companies” and said the U.S., because it lacks a “robust” privacy framework, cannot guarantee an essentially equivalent level of protection for personal information of European citizens. TACD also urged the Commission to hold off on signing the EU-U.S. Umbrella Agreement for the sharing of data between law-enforcement agencies and to “prompt those Member States engaging in mass surveillance of individuals to put an end to such practices.” [Full Story]


CA – CRTC Enters into MOU with FTC on Spam & DnC

On March 24, 2016, the CRTC signed a memorandum of understanding with the US FTC. The MOU is an effort by Canada and the US to work together on anti-spam enforcement measures, and expressly refers to unsolicited telecommunications, unsolicited commercial electronic messages (spam), and other unlawful electronic threats (e.g., malware and botnets). The MOU will allow the Participants to facilitate research and education related to unauthorized communications. Both Commissions also plan to share knowledge and expertise through training programs and staff exchanges, and to inform each other of developments related to the laws, among other activities. [Source]

US – FBI: $2.3 Billion Lost to CEO Email Scams

The U.S. FBI this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years. In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270% increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries. The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars. [Krebs]


WW – WhatsApp Just Switched on Encryption for a Billion People

WhatsApp, an online messaging service now owned by tech giant Facebook, has grown into one of the world’s most important applications. More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. And today, the enigmatic founders of WhatsApp revealed that the company has added end-to-end encryption to every form of communication on its service. This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans roughly a billion devices. [WIRED] See also: [Public Safety, RCMP saying little about WhatsApp encryption]

EU Developments

EU – Deal with EU, Canada to Share Air Travellers’ Data Raises Privacy Fears

An agreement between the EU and Canada to share airline passenger data that they say is key to fighting terrorism drew tough scrutiny at an EU court hearing last week because of privacy concerns. The dispute over the retention and sharing of passenger name records (PNR) has become a shibboleth in Brussels for the debate over balancing people’s privacy with the need to protect against terrorism. The agreement with Canada foresees the retention and sharing with Canadian authorities of airline passenger data by carriers operating flights between the EU and Canada. The Luxembourg-based Court of Justice of the European Union (ECJ) heard arguments for and against the agreement at a six-hour proceeding. Islamist militant attacks in Paris last year and last month’s attacks in Brussels have stoked calls for law enforcement agencies to have easier access to people’s data. Ireland, France, Britain, Spain and Estonia, who intervened in the case, emphasized that PNR do not allow investigators to paint a detailed picture of someone’s private life. But the European Parliament and privacy advocates cast doubt on that assertion. [Reuters]

EU – Other News

Facts & Stats

WW – 2016 Data Security Incident Response Report

BakerHostetler has yet again compiled a year’s worth of breach response data into a compact report that analyzes trends in data breach response, released this year to coincide with the Global Privacy Summit. “Is Your Organization Compromise Ready?” documents lessons learned from more than 300 security incidents in 2015. Some of the major findings? Nearly a quarter of all breaches happened in the healthcare industry. It takes an average of 69 days from occurrence of a breach to its discovery, and an average of 40 days from discovery to notification. And nearly a quarter of incidents led to regulatory investigations or inquiries. [Read More]


WW – Panama Document Leak Exposes Global Corruption, Secrets of the Rich

The financial secrets of heads of state, athletes, billionaires and drug lords have been exposed in the latest — and biggest ever — leak of records from an offshore tax haven. The leak includes 11.5 million confidential documents shedding light on the assets and murky fiscal dealings of everyone from the prime ministers of Iceland and Pakistan to soccer player Leo Messi, movie star Jackie Chan and associates of Russian President Vladimir Putin. The records, dating as far back as 1977, come from a little-known but highly influential Panama-based law firm called Mossack Fonseca, which has 500 staff working in 40-plus countries. The firm is one of the world’s top creators of shell companies — corporate structures that can be used to hide ownership of assets. German newspaper Süddeutsche Zeitung obtained the files from a source and shared them with global media partners, including CBC News and the Toronto Star, through the Washington-based International Consortium of Investigative Journalists. The release of the leaked documents may prompt governments to seek “concrete sanctions” against jurisdictions and institutions that peddle offshore secrecy. [CBC] News

US – NAIC Seeks Feedback for Insurance Data Security Law

A cybersecurity task force of the National Association of Insurance Commissioners (NAIC) has proposed a new insurance data security model law. The initiative, introduced last month, establishes new standards for data security, breach responses and the roles of the regulator, the organization says. “Because insurance is a data-driven industry, regulators must understand what data is being collected and for what purpose,” the NAIC said. “Today, regulators and companies have a need for data beyond what has been traditionally collected. But what regulators need is greater insight, not just more data.” Early responses to the proposed law have been mixed, with other associations raising concerns about the law’s suggestion that insurance regulations be allowed to vary by state and variations in response allowed for jurisdictional commissioners. After several high-profile hacks in 2015, the insurance industry and its regulators still are learning about the hackers aggressively hunting customer’s personally identifiable information (PII) data, financial records and medical histories. [Source] [See Graphic] See also: [state data security breach notification laws] and also: [Cyber insurance underwriters may want to consider less “absolute” questionnaires: ICRMC speaker]

US – Cyber Insurance Rates Drop

The rates for cyber insurance for organizations usually deemed to be high risk, such as retailers and healthcare organizations, fell during the first three months of 2016 because of a drop in high-profile breaches. The average price for US $1 millions in insurance fell to US $18,756. Last year, in the wake of high profile breaches like those at Target and Home Depot, the average premium was as high as US $21,642. [Reuters]


CA – NL Teachers Going to Court to Fight Sunshine List Disclosure

The Newfoundland and Labrador Teachers’ Association (NLTA) plans to go to court to block the release of the names of about 300 people who earn more than $100,000 working in the province’s school system. NLTA president Jim Dinn said that when he became aware of an access to information request seeking the names and salaries of teachers, he “immediately” knew the association had to fight it. Dinn said he believes releasing the list of teachers, principals and other educators earning more than $100,000 would be an undue invasion of privacy. Last year, as part of the Progressive Conservative government’s push for greater government openness and transparency, then-minister Steve Kent committed to creating a so-called “sunshine list” that would include the names, positions and remuneration of all government employees earning more than $100,000. The project was never completed because the Tories were tossed from government by voters in the November election. Since they took power, the new Liberal government has been indecisive on whether to follow through. In the meantime, The Telegram filed a suite of access to information requests in an attempt to create an ad hoc sunshine list. Several public bodies — including Memorial University, the core civil service, Nalcor Energy and the Royal Newfoundland Constabulary — have provided the requested information, and that data will be posted online by The Telegram this week. However, the province’s four regional health authorities and the English School District have declined to provide employees’ names. Those five public bodies said they would first inform their employees about the potential disclosure, and if anybody objected, the matter would be sent to the Office of the Information and Privacy Commissioner, or to the courts, for a ruling. [Source]

CA – NL Salary Disclosures OK Under New Access Law, Watchdog Says

Newfoundland and Labrador’s information and privacy commissioner says the new transparency law that replaced Bill 29 permits the public release of salary details of employees of public bodies. “It is our view that such a disclosure is in compliance with the law,” Ed Ring said in a press release issued Monday afternoon. Ring noted that a number of public bodies have already released that information in response to open-records requests. But he said others “have been uncertain in their interpretation of the law,” and have notified affected employees before releasing the information. Ring noted that a panel led by former premier and judge, Clyde Wells, that reviewed access-to-information laws found that disclosure of salary details is not an unreasonable invasion of privacy, and therefore cannot be withheld by a public body. “It is the interpretation of this office that this means that names of public body employees and their salaries are to be disclosed to an access-to-information applicant upon request,” Ring noted. “This type of disclosure is not unusual in Canada, and for example, has been done for many years under different legislation in Ontario.” [Source]

US – The FBI Says a Piece of Code Broke Its FOIA System

In February, activist Michael Best took a novel approach to filing a mass of Freedom of Information Act requests at once: he wrote a script to automatically ask for the files of just under 7,000 dead FBI officials. The FBI has replied, and it is not happy. The agency decided to not accept any of Best’s related requests, and may have also blocked or otherwise filtered further emails sent to the agency’s FOIA department by him. The episode shows that the way FOIAs are processed is very much an antiquated practice, and that perhaps US government agencies should think of new ways to handle requests. “The FBI email portal is designed to provide a convenient, alternative means to all Freedom of Information Act (FOIA) and Privacy Act (PA) requestors [sic] to make requests for FBI records,” a letter from David M. Hardy with the FBI’s Records Management Division to Best, dated March 30, 2016, reads. “On February 29, 2016, the FBI received an exceedingly high volume of submissions from you via the FBI email portal which had been generated by script [sic] using a list of names. This matter of submission interfered with the FBI’s ability to perform its FOIA and PA statutory responsibilities as an agency. Accordingly, the FBI did not accept these submissions on February 29, 2016, via the FBI FOIA email portal,” it continues. Best’s script was simple enough: It took names of special agents and other FBI officials collated from the agency’s own “Dead List,” a list of people the FBI knows to be deceased, and placed each into a request template. The request was for records held concerning the subjects, which can be released after the person is deceased. (For what it’s worth, Best says he didn’t submit his requests via the “email portal” as the FBI’s letter states, but just sent them to the normal FBI FOIA email address.) “I think the letter’s vagueness is counterproductive,” Best told Motherboard in a Twitter message. “’The manner of submission’ could mean almost anything. The volume of requests, or using the script? If it’s the former, I’ve never heard of an agency discarding FOIA requests because there were too many, and if it’s the latter I don’t see how the locally run script would have created a problem.” The requests weren’t even “rejected,” at least in the traditional FOIA context. Requests can be rejected if they are determined to be too burdensome on the agency. But that’s not what happened here—the FBI didn’t even accept the requests in the first place. [Source]

CA – Residential School Abuse Stories Must Be Shredded After 15 Years: Court

Survivors of Canada’s notorious residential school system have the right to see their stories archived if they wish, but their accounts must otherwise be destroyed in 15 years, Ontario’s top court ruled in a split decision last week. At issue are documents related to compensation claims made by as many as 30,000 survivors of Indian residential schools — many heart-rending accounts of sexual, physical and psychological abuse. Compensation claimants never surrendered control of their stories, the Appeal Court said. “Residential school survivors are free to disclose their own experiences, despite any claims that others may make with respect to confidentiality and privacy,” the court said. The court rejected the idea the documents were “government records” but said the material fell under the court’s control. [Source]

US – ESPN Argues Athlete’s Medical Records Matter of Public Concern

Cable sports network ESPN has filed court papers arguing that journalists are entitled to provide the public with visual evidence to corroborate reports, even in cases involving the athlete’s medical records. Last summer, Jason Pierre-Paul, a player in the NFL, blew part of his hand off in a fireworks accident. Reporter Adam Schefter tweeted a picture of Pierre-Paul’s medical record as proof. The football player has sued ESPN, arguing his privacy was violated. The media outlet argues Pierre-Paul’s claims “cannot succeed where, as here, the subject-matter of a news report is a matter of public concern.” [Hollywood Reporter]

CA – Judges Reject Media Ban in Two Assisted-Death Cases

Canadian judges have refused to bar the media from assisted-death cases for the first time. Judges in Ontario and British Columbia both rejected requests to ban the media from the hearings, breaking precedent set in Canada’s first application for an assisted death in late February. While the judges in the two cases understand the request for privacy by the two clients, the cases are “uniquely significant,” and blocking the media would harm the “open court principle,” said Chief Justice Christopher Hinkson of the British Columbia Supreme Court. “Conducting these proceedings in camera would effectively prevent the public from having any information about the case, other than what is volunteered by the parties or provided by the court in its reasons for judgment,” Hinkson said. [The Globe and Mail]

Health / Medical

CA – BC Arbitration Board Rules Nurse Must Be Reinstated Despite Multiple Incidents of Patient Data Snooping

The BC Nurses Union brought a grievance on behalf of a member who was terminated by her employer, the Vancouver Coastal Health Authority, for improperly viewing patient medical records. An arbitrator determined that termination was an excessive response and orders the nurse reinstated, with seniority, but without back pay or benefits; none of the information accessed was disclosed, and the nurse had realized the seriousness of the unauthorized access (she has been out of work a long time and had taken courses to educate herself on the issue). [Vancouver Coastal Health Authority (Olive Devaud Residence) v. British Columbia Nurses Union – 2016 CanLII 11873 (BC LA) – Labour Relations Board]

Horror Stories

PH – Philippines Breach Largest In Government History?

Sensitive information of nearly 55 million Philippine voters has been exposed in possibly the biggest government-related data breach in history. Security researchers believe the entire database of the Philippines’ Commission on Elections has been exposed following a cyberattack compromising the organization’s website by Anonymous Philippines, after which LulzSec Pilipinas, a second hacker group, posted the complete COMELEC database online. The data dump included information such as fingerprints and passport information, although COMELEC officials claim no sensitive information was accessed. Officials also said the national elections being held 9 May will not be affected by the attacks, as the election-related systems will be held on a separate site. During the initial attack, Anonymous Philippines warned COMELEC it should strengthen the security of the voting systems. [The Register]

TU – Nearly 50M national IDs, PII of Turkish citizens leaked online

The national IDs and other personal information of nearly 50 million Turkish citizens — more than half the country’s population — was leaked on a website hosted in Romania. The other personal information included in the data leak included full name and parents’ names of citizens, address and date of birth. Victims of the data breach also include the current president of Turkey, Recep Tayyip Erdoğan and the previous president, Abdullah Gül as well as current Prime Minister Ahmet Davutoğlu. The site features a “lessons to learn” portion that hints on how the data was stolen, and mentions lack of encryption and poor database security. [The Guardian]

CA – Breach at Alberta’s Maintenance Enforcement Program?

An Alberta government employee is under investigation after Edmonton police discovered as many as 60 sensitive files in the province’s maintenance enforcement program may have been accessed inappropriately. The alleged privacy breach was discovered during a larger police investigation, Justice Minister Kathleen Ganley said. The enforcement program collects and enforces court-ordered child and spousal support payments, meaning the files contained financial information and other personal details. “Obviously, we’re deeply concerned because this is the private information of individuals who have come into the program — sometimes very vulnerable individuals,” Ganley said. The employee in question is under investigation by both Edmonton police and Justice Department officials. The employee still has a job with the government, but no longer has access to the client database. “To the best of our knowledge, there is only one individual involved,” she said. [Edmonton Journal]

Identity Issues

CA – Price of Stolen Canadian Identity Plummets On Black Market

The price of a stolen Canadian identity has dropped by half in the space of a few years, says a new report from tech firm Dell. A set of Canadian “fullz” — the basic data needed to steal someone’s identity — now trades for around US$20 on the global market, down from a range of $35 to $45 in 2014, Dell Secureworks said in its latest Underground Hacker Marketplace Report. A set of “fullz” includes a person’s name, date of birth, an identifying government ID like a Social Insurance Number or driver’s licence and some form of financial data, like credit card or bank account numbers. Physical documents are more expensive, with passports going in the thousands of dollars. Fake Canadian passports can run upwards of US$2,600, more than U.S. passports though not as much as those of some European countries. A Canadian SIN card “was observed being sold by cybercriminals out of China for approximately $173,” the report said. The cheaper prices may have to do with a growing supply of stolen identities. The Insurance Bureau of Canada reported last month that there has been an increase in identity theft in Canada in recent years. The Canadian Anti-Fraud Centre said 17,000 Canadians reported being victimized by identity theft in 2015, and losses topped $10.7 million. But the centre warned that, more often than not, identity theft goes unreported. [HuffPost]

US – ONC, NIST Partner on Federated Identity and Health Data Privacy

The National Institute of Standards and Technology is putting up $1 million to find a new approach for patients and providers to access health records in a joint endeavor with the Office of the National Coordinator (ONC) for Health IT. Instead of piling up individual accounts for each provider a patient sees – dentist, specialist, primary care, in the doctor’s office or in the hospital – NIST and ONC are looking for ways to streamline the entire process by enabling a single credential across multiple providers. “For providers, making strides in the efficiency of accessing medical records means time and money saved – and, if done right, better outcomes for security and privacy – what NIST calls a “Federated Identity.’” NIST deputy director Michael Garcia wrote announcing the pilot. ONC, for its part, will participate in the review of applications and also provide technical support regarding implementation and operation of the pilot. “The goal is for hospital systems to work with other regional health systems and provider groups on developing and using a federated identity system,” Garcia explained. “The identity solution must be: privacy enhancing and voluntary; secure and resilient; interoperable; cost effective and easy to use.” NIST said it will fund one award between $750,000 and $1 million for eighteen months Applications can be submitted at until the June 1, 2016 deadline. [Source]

Internet / WWW

WW – Countries that Use Tor Most Are Highly Repressive or Highly Liberal

You might assume that people in the most oppressive regimes wouldn’t use the Tor anonymity network because of severe restrictions on technology or communication. On the other hand, you might think that people in the most liberal settings would have no immediate need for Tor. A new paper shows that Tor usage is in fact highest at both these tips of the political spectrum, peaking in the most oppressed and the most free countries around the world. Eric Jardine, research fellow at the Centre for International Governance Innovation (CIGI), a Canadian think-tank, is the author of the new paper, recently published in peer-reviewed journal New Media & Society. Jardine analysed data from 157 countries, stretching from 2011 to 2013. That information included a rating for a country’s political repression, derived from assessments made by US-based research group Freedom House, and metrics for Tor usage, sourced from the Tor Project’s own figures. Jardine included data for use of both Tor relays, which are nodes of the network users typically route their traffic through, and bridges, which are essentially non-public relays designed to be used in censorship-heavy countries that might block access to normal relays. He also considered a country’s internet penetration rate, intellectual property rights regime, wealth, secondary education levels, and openness to foreign influences. “The results show that, controlling for other relevant factors, political repression does drive usage of the Tor network,” Jardine writes. [Source]

WW – The Art of Privacy

Artist Trevor Paglen has exhibited a sculpture called the Autonomy Cube at museums around the world. The sculpture houses a custom wi-fi router. Museum visitors who connect to it will have their data redirected through the Tor network. The router also serves as a Tor relay. Paglen aims to install Autonomy Cubes in any museum that will pay for their creation. [Wired]

WW – Android Messaging Apps Leaking Data Through ‘Surreptitious Sharing’

German researchers have found a serious flaw in the way many popular Android email and messaging apps – including Skype and even secure systems like Telegram and Signal – share documents, images and videos. Dominik Schürmann and Lars Wolf from Braunschweig University of Technology say the bug, dubbed ‘Surreptitious Sharing’, allows attackers to capture data including passwords, private keys and message histories. They tested 12 popular email and messaging apps and found eight were exploitable. As a result, they said, the flaw is “definitely present in many more apps”. The affected messaging apps are Skype, Threema, Telegram and Signal. The vulnerable email apps are Google’s Gmail and AOSP Mail, K-9 Mail and WEB.DE. Four messaging apps were found to be safe – WhatsApp, Hangouts, Facebook Messenger and Snapchat. The bug lies in the main ‘Intent’ file-sharing API that Android apps use. This allows an attacker to access the receiving app’s private files. Worryingly, even privacy-focused messaging apps were “easily exploitable”, the researchers said. [Source]

Law Enforcement

US – Maryland Appeals Court Upholds Lower Court Stingray Ruling

An appeals court in Maryland recently ruled that police should not have used a stingray cell site simulator device without a warrant. The state had argued that by turning on cell phones, people were consenting to being tracked. The ruling upholds a lower court decision to suppress information gathered with the stingray. It also addresses the obfuscation police used in obtaining a warrant to use the stingray, writing, “A non-disclosure agreement that prevents law enforcement from providing details sufficient to assure the court that a novel method of conducting a search is a reasonable intrusion made in a proper manner and ‘justified by circumstances,” obstructs the court’s ability to make the necessary constitutional appraisal.” [Wired] See also: [Stingray ruling could challenge hundreds of Baltimore convictions]

CA – Canadian Police Forces Moving Towards Costly Body Cameras

Some Canadian cities and police forces already wrestling with cash-flow shortages are moving toward outfitting officers with body cameras despite privacy concerns and scant consensus on the technology’s cost-effectiveness. Body camera programs aren’t cheap, according to multiple forces across the country, and would require hiring more personnel to deal with the hundreds and thousands of hours of footage. Storage costs alone can run in the millions of dollars. Nonetheless, proponents say the cameras provide better evidence, lead to more convictions, improve officers’ interactions with the public and reduce police use-of-force incidents. Others, however, argue the videos invade the privacy of citizens, and worry that administrative duties related to body cameras will keep officers away from policing. [CTV News]


UK – 93% of Mobile Users Have Their Location Tracked Every Day

A new campaign by privacy-focused advocacy group Krowdthink aims to raise aware of the privacy implication of owning a mobile phone in the UK. The ‘Opt Me Out Of Location’ campaign aims to highlight the fact that nearly every single mobile phone owner in the UK (93%) has unwittingly signed up for a contract that permits their location to be tracked. More than this, the data collected allows providers to build up highly detailed customer profiles which Krowdthink warns leaves millions of users just one serious data breach away from having private data exposed to and abused by criminals. Research by Krowdthink says that while most mobile users are suspicious of apps that make use of GPS, few people think about the fact that their location is highly trackable when they connect to wifi hotspots or cell towers. [Source]

Online Privacy

US – Judge Approves Sony Hack Settlement

U.S. District Judge R. Gary Klausner ruled in favor of the estimated 437,000 employees affected by the 2014 Sony hack, approving the settlement that would provide them identity theft protection through 2017. Klausner said the three years of credit monitoring is longer than granted in other class actions, the report states. Sony further agreed to “an optional service that will cover up to $1 million in losses,” with more specific figures relating to the monetary settlement forthcoming. [The Associated Press]

Other Jurisdictions

WW – Nymity and IAPP Announce New Privacy Management Tool

The IAPP and Nymity have announced the Nymity Privacy Management Workbook and supporting materials. Terry McQuay, Nymity’s President stated, “The Privacy Management Workbook is an unlocked Microsoft Excel Spreadsheet that can be used as is, or customized to meet a specific privacy officer’s needs. The Privacy Management Workbook is accompanied with the “Getting Started Manual”, that provides an operationalized approach to privacy management accountability and step by step instructions on how to use the Workbook. For organizations with mature privacy management embedded throughout the organization, there is a second manual called the “Demonstrating Compliance Manual”. This manual outlines an accountability approach to demonstrating compliance with privacy laws that is empowered by the documentation that was collected using the Privacy Management Workbook. [Privacy Management Workbook and the supporting materials]. [Source]

AU – Census Plan “A Massive Invasion of Privacy” Says EFA

Plans to retain people’s names and addresses for this year’s Census have sparked fear that the information could be used by Centrelink, the Tax Office and ASIO and may lead to mass civil disobedience or people lying on their forms, privacy groups believe. The Australian Bureau of Statistics (ABS), which has been around since 1905, conducts a Census every five years. While this has always involved collecting names and addresses, the difference is that this time it wants to hold on to all of this information. The Agency has said it wants to be able to combine Census data with other datasets, such as health and education statistics, to get a “richer and dynamic statistical picture of Australia.” Statisticians argue this could provide insights into many areas, for example, the employment outcomes of different educational programs or designing mental health services, and result in better service planning and delivery. Keeping names and addresses would also make surveys more efficient and reduce the cost and burden on Australian households, said the ABS. But Jon Lawrence from the Electronic Frontiers Australia said retaining such information was unwarranted and intrusive and “an exceptionally bad idea.” “At its very essence, it’s a massive invasion of the privacy of every Australian,” Mr Lawrence said. [Source] See also: [Benefits of the census retaining names and addresses should outweigh privacy fears]

Privacy (US)

US – FTC Releases Agency’s 2015 Annual Highlights Report

FTC Chairwoman Edith Ramirez released the FTC’s 2015 Annual Policy Highlights. The topics covered in the report include the FTC’s noteworthy legal actions in a variety of industries, including health care, technology and other consumer products and services. The report touches upon the FTC’s work to bring actions against technology companies to ensure the protection of consumers’ personal info, including settling a charge with Oracle over the safety provisions in updates to its Java platform. Also touched upon in Ramirez’s report was cross-device tracking, and educating consumers on fraud and deceptive business practices, including, a website to help people report and recover from identity theft. [FTC Press Release]

US – FTC Fines Organisation $79,659,262 for Payment Fraud Scheme

The FTC is granted an order against Ideal Financial Solutions Inc. for participating in violations of the Federal Trade Commission Act. The company and its subsidiaries are permanently restrained from selling, transferring, or otherwise disclosing a consumer’s personal information to any third party without consent, and misrepresenting that a consumer has authorized or consented to the purchase of a product or service, or the nature or terms of any refund, cancellation, exchange, or repurchase policy. [FTC v Ideal Financial Solutions Inc. – USDC for the District of Nevada]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

US – FTC Releases Web Tool for Mobile Health App Developers

The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply. The interactive developer tool presents users with questions that include topics such as:

  • the type of information the app will create, receive, maintain, and transmit
  • the type of entity creating the app (or on whose behalf the app is created)
  • the purposes of the app
  • the information the app will provide to consumers and/or patients

The answer to each question points the user to the laws and regulations that may likely apply to the app. The tool also directs users to definitions for common regulatory terms, links, tips and guidance regarding compliance, and other federal agency resources. In conjunction with the release of the developer tool, the FTC also released its own guidance aimed at developer compliance with the FTC Act. This guidance follows the release of OCR’s Health App Use Scenarios & HIPAA guidance and discussion portal and FDA Mobile Medical Applications guidance. Together, these agency releases reflect efforts to provide guidance that will help provide clarity to the growing mobile health app ecosystem.

US – DHS Unveils Privacy Guidelines for Mobile Apps

The U.S. Department of Homeland Security has issued a set of privacy rules for mobile applications developed for the agency. The guidelines include a privacy policy requirement as well as a rule that program managers notify a privacy official and the chief information officer prior to an app’s development. App developers must pass their apps through a DHS “Carwash,” a system that scans the app’s code, which are then reviewed by DHS Chief Privacy Officer Karen Neuman. The guidelines also lay out what kinds of personal information can be processed and require that user information in transit must be encrypted and “immediately transferred to a protected internal DHS system that is compliant with existing DHS IT security policy.” [FCW]

US – Market Surges For Outside Privacy Counsel

A significant portion of corporations—76%—employ outside counsel for privacy and data security matters, according to a Bloomberg Law/IAPP survey study on “The Market for Data Privacy Legal Services.” And that demand is growing. The survey report concluded that:

  • A dedicated privacy team and subject matter experience are the most important qualities—along with basic care and feeding of clients—that companies look for in hiring outside counsel.
  • On average corporations spend nearly $170,000 annually on outside counsel handling privacy and data protection matters.
  • Outside privacy attorneys command high hourly rates, an average of $474 for transactional services, $539 for litigation and $623 for specialized privacy and data protection services.

The survey found that privacy pros in companies generally don’t hire outside counsel for operational tasks, such as PIAs and privacy by design application. But at the same time, significant opportunities for lawyers to expand their revenue may be in advising companies on privacy by design/privacy engineering initiatives, the report said. [BNA] See also: [UK and European firms invest in data protection ahead of GDPR]


WW – A Lot Will Plug a Random USB into Their Computer: Study

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year. As it turns out, it really works. In a new study, the researchers estimate that at least 48% of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98%) were picked up or moved from their original drop location. Very few people said they were concerned about their security. 68% of people said they took no precautions, according to the study. Some 135 people actually opened some files in the drives, according to the study. The researchers didn’t put any malware on the sticks, but had left an HTML file that contained an image allowing the researchers to detect when a file was opened. The HTML file also contained a survey, which had the goal of informing unbeknownst students and faculty that they had become part of an experiment, and trying to figure out why they had picked up the drive and opened files inside. Based on the participants’ survey answers, the researchers concluded that most people did it with “altruistic intentions.” In fact, 68% people said they did it to find the owners, while 18% admitted it was just out of curiosity. However, considering their actions, it seems some overestimated their good intentions. Despite the fact that some USB drives contained a resume file, almost half the users didn’t open that file, and, instead browsed vacation photos first, “overtaken by curiosity,” as the researchers put it. [Source]

US – US, Canada Issue National Alerts on Ransomware

The United States Computer Emergency Readiness Team within the Department of Homeland Security and the Canadian Cyber Incident Response Centre have jointly issued a special alert for both nations on the threat of ransomware and recent variants of the virus. The alert highlights the threat to the healthcare industry in the U.S. and worldwide, as well as threats to other businesses and individuals, outlining important steps to help organizations from falling victim to a ransomware attack, and guidelines for responding in incidents in which an organization is fending off ransom demands. The alert takes a hard line on whether organizations should pay to unlock information or computers, suggesting that there is no guarantee that paying a ransom will result in the release of information. Over the last few weeks, about a half dozen ransomware incidents have been reported among U.S. and Canadian hospitals, and in most cases, the organizations have been able to work around the attacks without paying a ransom. In February, Hollywood Presbyterian Medical Center reported that it paid the equivalent of $17,000 to unlock its information after a ransomware attack crippled the facility’s systems for about a week. The federal alert warns that ransomware is being spread via phishing tactics, as well as through “drive-by downloading,” which occurs when a user unknowingly visits an infected web site and malware is downloaded to the computer. [Source] See also; [Ransomware Threat Hits Critical Mass] and [Should Ransomware Attacks Be Considered Breaches? ]

US – Federal Agencies and Ransomware: Statistics

29 US federal government agencies have reported a total of 321 ransomware incidents since June 2015, according to the Department of Homeland Security. Not all of the incidents resulted in infections, and no incidents resulted in payment of ransom. Last December, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware), chairman and ranking member of the Senate Homeland Security and Government Affairs Committee, requested information about agencies’ efforts to protect systems from ransomware. Carper has posted the responses to his website. [FCW] [The Hill] [NextGov] [Results on Senator Carper’s Website] [CBC: Ransomware Hits Another (Ontario) Hospital] [SC Magazine]

Smart Cars / IoT

US – NTIA Commences Internet of Things Proceedings

On April 5, 2016, the National Telecommunications and Information Administration (NTIA) initiated an inquiry to review the potential benefits and challenges presented by the Internet of Things (IoT). In its Notice and request for public comment (RFC), NTIA is seeking input on the current IoT technological and policy landscape with a goal of developing recommendations—in the form of a Green Paper—as to whether and how the federal government should play a role in fostering the advancement of IoT technologies. Comments are due on or before May 23, 2016; parties across industry sectors are encouraged to comment. The inquiry is part of the Department of Commerce’s Digital Economy Agenda through which the agency seeks to help develop a free and open Internet and innovation in the digital economy while promoting privacy, security, and broad access. [Source]

WW – IoT Privacy a Concern for 62% Globally, More in U.S.

A newly released study of 5,200 “mobile media users” in Brazil, China, France, Germany, India, South Africa, the U.K., and the U.S. has found 62% of respondents “concerned” about privacy and the Internet of Things. That number rises to 70% in the United States. According to the Mobile Ecosystems Forum, privacy outstrips security (54%), and is a far bigger concern than physical safety (27%) or “machines taking over the Earth” (21%). Which connected devices are most concerning? Respondents answered with their home security as most concerning (30%) followed by their car (12%) and television (10%). [MediaPost]

US – OTA Principles for IoT Privacy and Security Programs

15 months after forming an Internet of Things (IoT) working group, on March 2, 2016, the Online Trust Alliance (OTA) released a final version of its IoT Framework along with a companion Resource Guide that provides explanations and additional resources. The voluntary Framework sets forth thirty suggested guidelines that provide criteria for designing privacy, security, and sustainability into connected devices. The creation of the OTA IoT principles represents a potential starting point for achieving privacy- and security-protective innovation for IoT devices. For now, the Framework focuses on wearable technology and connected home devices. In so doing, it avoids addressing some of the more challenging transparency and consent issues presented by devices lacking a direct buyer-seller relationship, such as those that arise in the retail or infrastructure context. The Framework also excludes connected medical devices and the associated potential life-or-death implications of medical technologies. Though purely voluntary and non-binding, the Framework differentiates between what it posits as “required” and “recommended” guidelines, thereby allowing for a broader consensus in a dynamic environment with many unresolved questions. Certain guidelines will likely be familiar to consumers—such as multi-factor verification for resetting credentials, and user notification after a password change. Other guidelines are particularly tailored to the IoT space—such as disclosure of the duration of patch support, and notice when a device initially pairs with a network. Themes of the Framework include guidelines designed to achieve the following:

CA – Allstate to Offer Albertans Usage-Based Auto-Insurance

A new Alberta insurance program could see motorists save money if they’re willing to install a device that monitors their habits behind the wheel. Allstate is the first company in the province to offer usage-based insurance, which uses technology to collect data on how a vehicle is driven and offer discounts for safe drivers. “It’s a little box you plug in under the steering wheel, and it sends out information,” Edmonton north agency manager Amanda Sawatzky said. “We take the measurements of the data over six months because that’s going to tell us over time what your driving habits are.” The company will check the frequency of hard braking, the time of day customers drive — accidents are more common between 11 p.m. and five a.m. — total kilometres covered and travelling at more than 125 km/h. The information comes from the vehicle’s diagnostic system and is sent out electronically. Drivers can log in to a website and monitor the results. “Hopefully, as you see a hard braking or speed incident, you’re more aware of it and it leads to safer driving habits,” Sawatzky said. After six months, the equipment will be removed and Allstate will offer participants premium discounts of up to 30%, depending on how well they did. Even if they do badly, their premiums won’t rise. Any discount remains as long as they own the vehicle. “It’s empowering drivers and there’s no downside to it. The safer you drive, the more you can save.” It’s unlikely someone will change how they drive for six months, then revert to bad habits once the monitor is out, she said. People who want to see whether they should sign up will receive a 5% premium cut for a year for using a test app. [Edmonton Journal]


US – New Hampshire Bill Regulates Government and Citizen Use of Drones

Last month lawmakers in the New Hampshire House of Representatives passed a bill regulating government and citizen use of drones. The bill includes strong privacy protections that address some of the most common concerns associated with police using flying robots. The legislation is the latest example of local lawmakers improving upon decades-old Supreme Court precedent amid rapidly changing technology. In a world where drones with cameras are well within many law enforcement budgets it is reasonable to ask when police can fly a drone over your backyard. It’s understandable if you think that you have a reasonable expectation of privacy in your backyard, but the fact is that the Supreme Court ruled in two cases from the 1980s (Florida v. Riley and California v. Ciraolo) that you don’t. In both cases justices on the Court held that observations from the air are analogous to observations from public roads. [Forbes] See Also: [FAA committee writing rules permitting small drones over crowds]

US – NTIA Postpones Drone Privacy Meeting

The National Telecommunications & Information Administration has postponed an April 8 multistakeholder meeting on drone privacy, saying some stakeholders said that work on a revised draft of voluntary drone privacy guidelines would not be ready to circulate to the full group until April 22. The meeting will be rescheduled for early May, according to John Verdi, NTIA’s director of privacy initiatives, in a note to stakeholders. The effort is among a number sets of best practices NTIA is trying to help industry and civil society representatives agree on to enforce the Obama administration’s privacy bill of rights. Others include on apps and facial recognition. It has been a year since NTIA sought comment on “privacy, accountability, and transparency issues” surrounding the use of unmanned aircraft systems (UAS), which are being increasingly used in TV news and film production. Those studios told NTIA they do not think there need to be any privacy guidelines for their use in such productions since they are either used on closed sets, or where they are not collecting information from the public. Back in November, major broadcast and print news operations and others in the News Media Coalition (NMC) asked NTIA to make sure it does not limit their First Amendment rights in its ongoing effort to come up with privacy guidelines for the new wave of UAS. [Source]

Telecom / TV

US – Federal Judge Says No Expectation of Privacy in Cell Site Location

In the Seventh Circuit — where there’s currently no Appeals Court precedent on cell site location info (CSLI) — federal judge Pamela Pepper has decided only about half of what other courts have said about this info’s expectation of privacy applies. That would be the half that finds the Third Party Doctrine covers cell phones’ constant connections to cell towers. (via Three circuits (4th, 5th and 11th) have ruled on whether obtaining CSLI from providers constitutes a search or seizure under the Fourth Amendment. Only the Fourth found that this information deserved greater privacy protections, mainly because of the ubiquitousness of cell phones. The other two held that CSLI is just another business record, even if it is the sort of business record that generates a detailed history of someone’s movements and can be used to track someone in near real-time. The Supreme Court also had something to say about the long-term tracking of people’s movements in its decision about GPS tracking devices. While not exactly the same thing, it was close, and the court here examines this decision as well. The government suggested long-term location tracking might have enough Fourth Amendment implications to justify a warrant requirement, but stopped short of making that call. With these non-precedents in hand, Judge Pepper finds there’s no expectation of privacy in cell location info because — like the government has argued in other cases — everyone should know their phones are acting as ad hoc government tracking devices. [TechDirt] [The ruling is here]

CA – Cases Highlight Legal Debate Over Texting Privacy Rights

The Ontario Court of Appeal is being asked to determine what privacy rights exist in the content of an individual’s text messages when they are obtained by police through the seizure of the phone of the recipient and not that of the sender. It is only the second time that the status of text messages on another person’s phone has been before an appellate court. The B.C. Court of Appeal ruled last year that there are privacy interests for the sender of the communications. At the Ontario Court of Appeal, the issues have been raised in two cases that are being heard together this week. The argument there is no privacy right once a text message has been sent is a very “old school” notion based on control, which does not fit with modern communications, says Laura Berger, acting director of the public safety program at the Canadian Civil Liberties Association. “For an increasing percentage of Canadians, especially younger people, text messages are supplanting voice telephone calls. We need to ensure that privacy protections in place [for phone conversations] are not diluted because of changes in technology,” says Berger. [Law Times]

US Government Programs

US – ODNI Signs Transparency Charter; NSA Sharing Plan Worries Rights Groups

Director of National Intelligence James Clapper signed a charter that formally transitions the Intelligence Community Transparency Working Group into the now permanent IC Transparency Council. Senior officials from across the intelligence community have comprised the working group, which was created two years ago. The council will oversee the Transparency Implementation Plan and ensure that transparency “becomes a comprehensive and sustainable practice” throughout the intelligence community. CSM Passcode reports privacy and civil liberties groups urge the NSA and DNI Clapper to reconsider a proposed data-sharing plan with other law enforcement agencies. Meanwhile, the surprise resignation of David Medine could spell trouble for the Privacy and Civil Liberties Oversight Board. Medine was the only full-time member of the five-member panel. [Full Story]

US Legislation

US – Legislative Roundup

Workplace Privacy

CA – OPC Issues Guidance on How to Prevent Employee Data Snooping

Six years ago a bank employee was caught going through the financial records of another staff member who was in a relationship with her ex-husband. The spying had been going on for four years. In another case hospital employees were caught selling patient data for their own gain. With organizations holding huge amounts of personal data on staff and customers, employee snooping — for curiosity or money — is tempting. The federal privacy commissioner suggested 10 ways employers can prevent staff spying on personal data. “Employee snooping poses a serious privacy risk that if left un-checked can cause significant and lasting financial and reputational damage to both your customers and your organization,” the report warns. “By taking the appropriate steps to address this risk … organizations can go a long way in advancing their reputation as a privacy-conscious business, and more importantly, protect their valued customers’ information, with which they have been entrusted.” [Source] See also: [New OPC Guidance regarding Privacy Impact Assessments: At Two Pages, Why Bother?]

CA – Staff Have Privacy Rights Even if Company Provides Devices, CPOs Told

Talk, not spy technology, should be one of the first weapons employers should use if they suspect employee misuse of enterprise devices or data, two lawyers have told a privacy law conference. “I would be cautious about using all kinds of fun and highly efficient but intrusive technologies to monitor your workers’ productivity,” Emma Phillips, a partner at the Goldblatt Partners LLP law firm, told chief privacy officers in Toronto on Thursday. If management has a reasonable belief there’s been misconduct Canadian law potentially allows staff or a device to be monitored, she added, as long as its done in a reasonable way — for example, don’t install keystroke loggers before warning an individual what inappropriate behaviour is, or put up surveillance cameras that cover broad areas where employees work. [IT World Canada]

WW – Cybersecurity Remains Biggest Barrier to BYOD Adoption: Study

Crowd Research Partners’ recent 2016 BYOD and Mobile Security Report, surveying more than 800 global cybersecurity professionals, reveals that 39% of respondents consider security one of their greatest concerns surrounding bring-your-own-device adoption. An additional 12% expressed fears that BYOD would diminish employee privacy, the report states. The study “reveals that enterprise security risks and mobile data breaches are on the rise.” While these threats are serious, they also pose as “an opportunity for organizations to implement effective cybersecurity solutions to strengthen their security posture and capitalize on the promise of enterprise mobility.” [Security Brief NZ]



26 March – April 1, 2016


US – NTIA Face-Recognition Privacy Talks Blasted as ‘Orwellian Farce’

The U.S. Commerce Department’s National Telecommunications and Information Administration held a meeting last week in its ongoing multistakeholder effort to establish face-recognition technology data best practices, and the results disappointed privacy advocates. Advocates argue that representatives from the technology industry “hijacked” discussions on privacy, the report states. The result? “This is no longer a multistakeholder process,” said the Center on Privacy& Technology. “It is an industry stakeholder process. These draft guidelines are a direct consequence of that decision.” Lack of privacy in this sphere is particularly egregious as “you cannot delete your face.” [IB Times]

Big Data

EU – Security Risks Can Be Mitigated with Robust Access Control and Encryption

The EU Agency for Network and Information Security (“ENISA”) examined the security challenges of and best practices for Big Data. Big Data-related security risks include access control and authentication, secure data management, source validation and filtering, and application software security; mitigating measures include strong and scalable encryption, mandated purchasing from authentic suppliers, use of security standard-compliant devices, and assigning confidence levels on endpoint sources. [ENISA – Big Data Security]


CA – Feds Consulting on Open Government and Access to Information

Treasury Board President Scott Brison invited Canadians to participate in public consultations to help deliver the Government of Canada’s agenda for more openness and transparency. In the context of open dialogue, this series of consultations will be used to develop Canada’s 2016-18 strategy on open government, to be released this summer. Beginning May 1, the Government will also be seeking input from Canadians on how best to implement its commitments to improve the Access to Information Act. Minister Brison will kick-off the consultations on open government by hosting a Google Hangout with leading experts and leaders on April 6. [Source]

CA – Spy Agency Watchdog Facing Huge Budget Cuts

The Security Intelligence Review Committee, which reviews select activities of CSIS, expects to lose, on average, $2.5 million annually in funding starting next spring. The confusion comes as CSIS increasingly flexes its new powers granted under last year’s Bill C-51 national security legislation. The service had long been limited to collecting and analyzing national security intelligence for government, but is now empowered to actively disrupt suspected threats to security and to exchange and collate information on suspect Canadians with other federal departments and agencies, which was not possible before C-51. [National Post]

US – Federal Agencies Sharing Information Under Bill C-51 Provisions

At least four federal agencies have used controversial information-sharing powers in Canada’s new anti-terrorism law, internal government documents show. Privacy commissioner Daniel Therrien said Bill C-51 set the threshold for sharing Canadians’ personal data far too low. It’s not surprising that agencies have begun using the information-sharing act, said University of Ottawa law professor Craig Forcese. “The risk is that it’s being used in ways that are going to be difficult to predict because of the overbreadth and uncertainty of that act, and it’s going to be used in ways that are difficult to police,” said Forcese, co-author of False Security, a book that squarely criticizes the omnibus bill. “It’s added complexity to a complex problem rather than simplifying life.” [Source] [Canada’s new ‘anti-radicalisation’ office met with caution by Muslim community]

CA – Guidance on How CSIS Should Use Anti-Terror Bill C-51 Largely Secret

The federal government has issued guidance to Canada’s spy agency on using contentious new anti-terrorism laws — but most of the instructions won’t be made public. Many passages of the ministerial direction to the Canadian Security Intelligence Service, issued last July, were withheld from release due to provisions of the Access to Information Act concerning security, internal deliberations and cabinet confidences. The federal decision to keep much of the ministerial direction under wraps did nothing to reassure those with concerns about C-51, the omnibus security bill that received royal assent early last summer. The legislation gave CSIS the power to actively disrupt suspected terrorist plots, even allowing the spy service to take actions that breach the Charter of Rights and Freedoms as long as a judge approves. “One of our greatest concerns with C-51 is that CSIS has been given extraordinary new powers, including the power to break the law and violate the Constitution,” said Josh Paterson, executive director of the British Columbia Civil Liberties Association. [Source] [How is the Liberal government using Bill C-51? Good question ] [We Must Question The Timing Of This Terrorism Case ]

CA – BC OIPC Launches Investigation on Phone-Monitoring Tool

BC Privacy Commissioner Elizabeth Denham has kicked off a closed-door inquiry of a surveillance tool known as Stingray, which impersonates a cellphone tower in order to deceive any phone within range and obtain data, possibly storing everything it receives. Law enforcement officials from all over Canada aren’t saying if they use Stingray, as the police work to keep their mass surveillance systems under wraps. The BC Civil Liberties Association’s Micheal Vonn condemned the use of Stingray by police: “What we’re saying here is, does it help to collect the data of tens of thousands of individuals that aren’t the subjects of police investigation? No, of course it doesn’t help.” [Full Story] See also [Maryland Court Says Police Must Disclose Stingray Purpose Before Use]

CA – BC Privacy Commissioner Offers Parting Advice

As Information and Privacy Commissioner Elizabeth Denham prepares to move on to a national posting in the UK, she’s got in mind what the B.C. Liberals could give her in lieu of their tentative offer of a second six-year term here at home.

  • Lobbying reform: Denham’s biggest ask is to change the legislation so what is registered is actual lobbying and not prospective lobbying, “It would make enforcement of the law so much more practical and easier for my office. It would also, I think, help lobbyists because they have to register anyone they might prospectively lobby. It would be more meaningful for the public to be able to see actual lobbying and not prospective lobbying. “
  • Denham favours a stand-alone law governing both public and private health care providers. She also says B.C. should follow other provinces and legislate fines of up to $50,000 for unauthorized snooping by health care staffers. “They’re supposed to look at health information for their own patients, not look up information on celebrities, not look at their ex-spouse’s health information,” said the privacy watchdog. “It’s a serious problem of trust in the system, and we need higher penalties and enforcement.”

Denham is also calling for tougher penalties for the deliberate destruction of public records. Her landmark report from last fall, Access Denied, highlighted a series of concerns in that regard. It also led to recent charges against a government staffer for misleading the commissioner about the destruction of records. The charges are not about the action of unauthorized destruction of records,” explained Denham. “We need that in the Freedom of Information and Protection of Privacy Act. We need an offence provision, and we need the associated penalties.” [The Vancouver Sun]

CA – Legal Community Masses Forces for Set Piece Battle Over Privilege

Organized bar groups are massing at the Supreme Court of Canada again to repel what they contend are state attacks on the adversarial justice system. “When, and under what circumstances, can a regulator pry into a lawyer’s litigation brief, while the litigation is still under way, in order to examine the lawyer’s litigation strategy, trial preparation and other material collected or prepared for the dominant purpose of actual or apprehended litigation?” “If the court finds that litigation privilege can be abrogated by inference, it would expose lawyers’ briefs to regulatory scrutiny while litigation is still under way, in the absence of clear and explicit statutory language. This would dramatically expand the circumstances in which regulators could access information protected by litigation privilege.” [Lawyers Weekly]

WW – Software Flags ‘Suicidal’ Students, Presenting Privacy Dilemma

Ontario Christian Schools (OCS) is a private K-12 school near Los Angeles with about 100 children per grade. Three years ago, the school began buying Google Chromebook laptops for every student in middle and high school. The students would be allowed to take them home. Although Google software, like that of other companies, comes with virus protection and the ability to filter search results and block certain Web sites, Ontario Christian Schools turned to a third party to provide an additional layer of security: a startup called GoGuardian. GoGuardian helped school leaders create a list of off-limits websites: porn, hacking-related sites and “timewasters” like online games, TV and movie streaming. The software also has another feature: It tracks students’ browsing and searches whenever they are using the computer, at home or at school. That’s how OCS was alerted that a student appeared to be in severe emotional distress. Suicide is the third leading cause of death among youth aged 10 to 24. Said a research fellow at NYU’s Information Law Institute and an expert on student privacy and data. “This is a growing trend where schools are monitoring students more and more for safety reasons,” she says. “I think student safety and saving lives is obviously important, and I don’t want to discount that. But I also think there’s a real possibility that this well-meaning attempt to protect students from themselves will result in overreach.” This type of dilemma is almost certainly going to become more common, as school-owned devices and laptops proliferate. In 2015 alone, according to a report released this month, U.S. K-12 districts bought 10.5 million devices like laptops and tablets, a 17.5 percent increase over the year before. [NPR] See also: [Student Privacy at Risk Absent Better Training for All] [U.S. Department of Education guidance]


WW – New ‘Commerce VPN’ Site Aims to Make Online Shopping Safer

Launched yesterday, is a VPN for netizens’ credit cards, aiming to spare online shoppers from the fear that their information is stolen, used in targeted ads, or otherwise employed improperly. The site “drops in a one-time credit card number with no connection to you personally” come check out, making it appear as if is the buyer. The site also permits a debit account shopping system, like PayPal, as well as pseudonyms. While the system isn’t bullet proof, the report states, “you get a new layer of insulation from the world of online fraud.” [The Verge]

WW – Internet Users Don’t Understand Security or Privacy: Survey

Canadian think-tank CIGI (the Centre for International Governance and Innovation) reckons ordinary citizens are more comfortable with government oversight of the Internet and their privacy than, for example, Apple. In an international survey (24,000 respondents in 24 countries), the group claims

  • more than 70% want the “dark net” shut down (which rests on the assumption that 70% of people actually know what the “dark net” is).
  • 26% of users don’t trust their governments at all over monitoring their communications without their knowledge (something not highlighted in either of the two CIGI-Ipsos media releases).
  • Only 8.47% of respondents said they trust their governments completely (the citizens that most trust their governments were in Tunisia, at 27%, and Pakistan, at 21%).
  • most respondents don’t understand that unbreakable encryption protects things like their online banking and shopping, as well as protecting criminals: 60% of Americans and 63% of the total sample reckon “companies should not develop technologies that protect law enforcement from accessing the content of a user’s online data”.
  • Regarding access to citizens’ data, the survey says 70% over users think agencies should have access to citizens’ content for “valid national security reasons” (emphasis added), versus 30% who disagreed. [The Register]


US – FTC Signs Agreement with CRTC to Fight Unlawful Spam

The FTC signed a memorandum of understanding with the CRTC in regards to enforcing commercial email and telemarketing laws. The MOU is effective March 24, 2016. The agreement requires both the FTC and the CRTC to limit retention of shared materials, safeguard any shared information containing PII (by using encryption, using a courier with tracking capabilities, using password-protected files for electronic information and locked storage for hard copies, and redaction of publicly released materials), and notify each other of any breaches. [FTC – MoU between the US FTC and the CRTC on Mutual Assistance in the Enforcement of Laws on Commercial Email and Telemarketing| [Press Release]

WW – Google Enhances Gmail Security

Google has made some changes to Gmail to protect users from malicious links and state-sponsored attacks. When users click on suspicious links that arrive in email, Gmail will display a full-page warning them that visiting the site could harm their computer. Users will be able to choose to click through to the site. Google will also display a full-page warning when it believes state-sponsored attackers have targeted users. Google’s blog post also notes the company’s participation in submitting a draft IETF specification for SMTP Strict Transport Security, which aims to “ensure TLS encryption works as intended.” [SC Magazine] [Google Blog]

WW – The Dream of Usable Email Encryption Is Still A Work in Progress

In 2014, in the aftermath of the Edward Snowden revelations, Google and Yahoo, the two largest email providers in the world, promised to change that once and for all with a browser plugin that would make sending encrypted emails so seamless anyone could use it. Yet, Google and Yahoo’s projects on secure end-to-end encrypted email have yet to see the light of day. That’s why some are starting to question how much Google and Yahoo really care about making this happen. In recent interviews with Motherboard, both companies publicly renewed their commitment. “Engineers from Google, Yahoo, and the open source community continue to work together on the End-To-End Mail extension project. It remains a work in progress,” a Google spokesperson said. A Yahoo spokesperson said the team of new security chief Bob Lord “is still cranking on it,” and pointed to the fact that the company even mentioned the project in its amicus brief in support of Apple in the case of the San Bernardino shooter. Neither of the companies, however, dared to venture a prediction on when the final product would be released. [Motherboard]

Electronic Records

US – CyberSecurity Information Sharing Is Here to Stay

The adoption of the Cybersecurity Information Sharing Act in the U.S., among other initiatives both in the U.S. and internationally, are “likely to bring about a significant change in the way information sharing and collaboration works.” Paired with emerging technical standards that “promise to enable efficient information sharing at scale,” we will begin to see how “cyber-threat intelligence is poised to transition from a revenue-generating resource to a public good.” [Hogan Lovells]. See also: [New NIST working group born out of IoT complexities] See also: [Canadian Federal privacy commissioner will watch threat information sharing, says OPCC official] and [IIROC to Focus on Dealer Members’ Cyber Threats Preparedness]

AU – Vic CPDP ‘Catastrophic’ Impact of Info Sharing Failures

Failure to share information effectively between agencies can have “catastrophic consequences”, the report of the Royal Commission into Family Violence has found. It’s not news for Victoria’s Commissioner for Privacy and Data Protection, David Eatts, who said. “It’s disappointing that it takes a royal commission to highlight these issues, because they’re issues our office has been pointing out ever since I was appointed.” Privacy law is often blamed for different agencies being unaware of risks raised elsewhere. Stories abound of justice, drug and alcohol and child protection services, for example, failing to speak to one another and pick up clear warning signs that may have prevented serious harm. But, while the legislation is complicated, Watts argues it’s the overly legalistic and risk averse approach to privacy law, rather than the law itself, that’s the primary problem. Watts’ comments align with those made by his New South Wales counterpart Elizabeth Coombs last year, who argued the problem is with misunderstandings of privacy law, rather than the law itself. [The Mandarin]


US – FBI Unlocks iPhone Without Apple’s Help

The FBI has managed to crack the iPhone in the San Bernardino case without intervention from Apple. The Justice Department has dropped its legal case against Apple and “has asked a United States Magistrate Judge in Riverside, California to vacate her order compelling Apple to assist the FBI in unlocking the iPhone.” [CS Monitor] [ZDNet] [ArsTechnica] [Bloomberg] [Wired] [ComputerWorld] See also: [Apple scrambles to restore iPhone security after losing privacy fight]

EU – Silicon Valley Faces Encryption Fight in Europe

There are growing calls in some European countries for access to encrypted communications in the wake of recent terrorist attacks in the region. Though Apple is in a highly publicized debate in the U.S. about encryption in its devices, the company, along with other companies employing the security technology, may find similar fights in Europe. French lawmakers plan to debate new intelligence laws this week, and the U.K. is currently embroiled in the proposed Investigatory Powers Bill, which would give broad new powers to law enforcement. Other countries, however, including Germany and the Netherlands, do not back laws that would mandate access to encrypted devices. In the U.S., Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., are seeking support for their encryption legislation. Rep. Jackie Speier, D-Calif., has released a new bill that would require personal information before purchasing a so-called “burner phone.” [New York Times]

EU Developments

US – Bulk Surveillance Court Cases Could stymie Privacy Shield

The Article 29 Working Party is reportedly looking into three cases that will be heard by the European Court of Justice in weighing its own opinion as to whether the EU-U.S. Privacy Shield is valid. According to Reuters, four individuals familiar with the group’s deliberations said the regulatory body is looking at an airline passenger data sharing pact with Canada as well as two other cases involving data retention by telecommunications companies. According to the report, the three cases are relevant to the Shield because they involve restrictions on bulk surveillance. A senior U.S. government official said, “We have negotiated the Privacy Shield based on the current state of law in the EU … If the law changes, we’ll have to go back and relook at how we handle these things.” [Reuters]

Facts & Stats

US – ACLU Maps DoJ Use of All Writs Act to Force Techs to Crack Devices

The Justice Department said tech companies have accessed phones for it before. So the ACLU tried to find all the cases.  The ACLU on Wednesday published court documents and an interactive map for what it said were dozens of instances when the U.S. government tried to compel tech companies to unlock customer devices, offering a fairly comprehensive look at where and under what circumstances law enforcement sought what now might be seen as controversial help. The civil liberties group said it had confirmed 63 such cases and suspected there could be up to 13 more based on its review of court documents and public statements by government and tech company officials. The ACLU said it published the map to stoke public discussion about the use of the All Writs Act. It is also pursuing a Freedom of Information Act request to learn more. [Washington Post]


US – Effects of Copyright Takedown Abuse on Online Free Expression” Study

Three of America’s sharpest copyright scholars have released a landmark study of the impact of copyright takedowns on free expression in America: Notice and Takedown in Everyday Practice, by Jennifer Urban (UC Berkeley), Joe Karaganis (Columbia), and Brianna L. Schofiel (UC Berkeley) uses detailed surveys and interviews and a random sample from over 100,000,000 takedown notices to analyze the proportion of fraudulent, malformed or otherwise incorrect acts of censorship undertaken in copyright’s name, using the Digital Millennium Copyright Act’s takedown procedure. The DMCA is nearly 20 years old, and even before it was passed into law, virtually everyone who was paying attention said that creating a system that allows anything online to be censored through copyright infringement accusations, without due process or even penalties for getting it wrong, would get us into trouble. Now the evidence is in, and it couldn’t be more damning. [Source]

WW – Egypt Blocks Facebook Internet Service After Surveillance Request Denied

After Facebook allegedly prohibited the Egyptian government from using the company’s Free Basics Internet as a surveillance tool, the government blocked the service altogether. Free Basics provides Internet use to those in poverty-stricken areas for free, and Facebook launched the Egyptian version in October of last year. By December, the government suspended the site, saying at the time that permit issues were to blame. Yet sources “close to the situation” maintain that Facebook “was blocked because the company would not allow the government to circumvent the service’s security to conduct surveillance,” the report states. [Reuters]


WW – Panama Papers: Mossack Fonseca Leak Reveals Elite’s Tax Havens

A huge leak of confidential documents has revealed how the rich and powerful use tax havens to hide their wealth. Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca. They show how Mossack Fonseca has helped clients launder money, dodge sanctions and evade tax. The company says it has operated beyond reproach for 40 years and has never been charged with criminal wrong-doing. The documents show links to 72 current or former heads of state in the data, including dictators accused of looting their own countries. Gerard Ryle, director of the ICIJ, said the documents covered the day-to-day business at Mossack Fonseca over the past 40 years. “I think the leak will prove to be probably the biggest blow the offshore world has ever taken because of the extent of the documents,” he said. [BBC]


CA – OIPC BC Opposes Many Recommended Amendments to FOI Legislation

The OIPC responded to the recommendations made to the committee reviewing British Columbia’s FIPPA. The OIPC rejects a number of recommendations as unnecessary; the Law Society’s recommendation to exclude from disclosure to the OIPC all records subject to solicitor-client privilege is rejected because such disclosure may be necessary in the course of the OIPC’s functions and is subject to existing statutory confidentiality safeguards. The OIPC recommended that the law be amended to require a public body to automatically waive fees when it fails to meet its legislated timeline for responding to a request. [OIPC BC – OIPC Response to Stakeholder Recommendations to the Special Committee to Review the Freedom of Information and Protection of Privacy Act]

US – Study Offers Best Practices for Transparency Reporting: Institute

A new report from the Open Technology Institute at New America and the Berkman Center for Internet & Society at Harvard University examines best practices for transparency reporting. “The Transparency Reporting Toolkit: Survey & Best Practice Memos.” is a compilation of eight memos highlighting challenges major U.S. Internet and telecommunications companies face when reporting on law enforcement and government requests for user information. Transparency reports came into prominence after the Snowden leaks in 2013, but the study says technology companies, including Google, Twitter and Microsoft, have not utilized best practices when crafting these reports and it is therefore hard to compare metrics. “By conducting this survey, we’ve laid the groundwork for stronger and more comprehensive transparency reporting on government requests for user data and information,” said the Open Technology Institute. [Source] See also: [Reddit removes ‘warrant canary’ from transparency report] [ACLU released an online map tracking instances of the government’s abuse of the All Writs Act.]

CA – Why Was NEB Deleting an Email Sent In the Middle of the Night?

Canada’s pipeline watchdog is under investigation by Parliament’s information commissioner for deleting an email that drew attention to a mistake made by an employee, said the National Energy Board (NEB). An internal NEB email revealed that the employee who made the mistake was the pipeline regulator’s head of security. The NEB staff believe the deleted email contained references to how the regulator’s top security official had given personal information about a co-worker to a private investigator. But the email disappeared from the records of the Calgary-based NEB after a senior bureaucrat instructed staff to delete it. People can go to jail or pay hefty fines in the thousands of dollars for deleting records of the federal government’s day-to-day business and operations, under Canada’s access to information legislation. The NEB denied it broke the law. An NEB spokesman said that the contents of the deleted email had revealed it shared information about its employee with a potential contractor without verifying the firm’s security clearance. The spokesman also told National Observer that NEB staff decided to delete the email to mitigate the risk of “harm” caused to the employee whose name was mentioned in the correspondence. [National Observer] Fifth in an in depth series about the National Energy Board. Part I here, Part II here, Part III here, Part IV here.

WW – Microsoft Transparency Report for Second Half of 2015

Microsoft’s transparency report for the second half of 2015 shows that the company received 11% more legal requests for information than it did in the first half of last year. In all, law enforcement agencies made 39,083 requests for information regarding 64,614 accounts. Microsoft provided subscriber data for two-thirds of the requests. In two percent of the cases, Microsoft surrendered content, such as email, instant messages, and data stored in OneDrive. Microsoft also received 505 emergency requests for information. [ZDNet] [MSFT blog] [MSFT Transparency Hub] [New Microsoft Transparency Report Includes Revenge Porn Removal Stats]


US – Law Enforcement Investigators Seek Out Private DNA Databases

Investigators are broadening their DNA searches beyond government databases and demanding genetic information from companies that do ancestry research for their customers. Two major companies that research family lineage for fees around $200 say that over the last two years, they have received law enforcement demands for individual’s genetic information stored in their DNA databases. and competitor 23andme report a total of five requests from law agencies for the genetic material of six individuals in their growing databases of hundreds of thousands. turned over one person’s data for an investigation into the murder and rape of an 18-year-old woman in Idaho Falls, Idaho. 23andme has received four other court orders but persuaded investigators to withdraw the requests. The companies say law enforcement demands for genetic information are rare. [Associated Press]

Health / Medical

US – FTC’s Rich Outlines Health Data Protection Efforts, Calls for More Authority

Jessica Rich, the director of the FTC’s Bureau of Consumer Protection, gave testimony to the House Subcommittee on Information Technology and the Subcommittee on Health, Benefits, and Administrative Rules of the Oversight and Government Reform Committee last week, explaining the Commission’s current efforts to safeguard consumer health data, while reinforcing the Commission’s request for expanded authority to go further. Rich spoke about the FTC’s concerns regarding the large amounts of health information data generated on platforms such as websites, wearable technologies and communication portals. While those technologies are not covered under HIPAA, they do fall under FTC jurisdiction. Rich said the Commission has addressed health data privacy and security issues through enforcement, policy initiatives and education, but believes the organization can be more effective in stopping unfair and misleading practices if Congress passes regulation strengthening the Commission’s existing data security authority. [Full Story]

US – Hospital Settles Largest Per Plaintiff Breach Payout in History

A judge ruled that California-based St. Joseph Health System must pay more than $28 million to settle a 31,074-plaintiff class action suit, the largest per-member settlement in data breach history. This result comes after U.S. District Judge Kenneth Hoyt dismissed a similar suit against the organization in 2015, calling the plaintiff’s concern over “heightened risk of future identity theft” insufficient grounds for legal action. As a result of the 2012 breach, the settlement requires defendants to allot $7.5 million for plaintiffs, $7.4 million for lawyers’ fees, $4.5 million for credit monitoring services, and $3 million for identity theft compensation. [Source]

US – Nurse Hands Over License After Texting Compromising Patient Picture

A New York nurse surrendered her license to practice after snapping pictures of an unconscious patient’s genitals and sending them to peers via text. The surrender was part of a plea deal in which Kristen Johnson pleaded guilty to misdemeanor disseminating of unlawful surveillance photos. Her conviction marked the conclusion of a nine-month, Onondaga County District Attorney’s Office investigation after co-workers complained about her texts. [CBS 6 Albany] Police: Former Upstate nurse took pictures of patients’ intimate parts while unconscious | Central NY nurse loses license over cell phone photo]

US – MedStar Health System Infected with Malware

Washington-Baltimore area healthcare provider MedStar Health has shut down some of its computer systems following a malware infection. The organization says its clinical facilities are still open. MedStar operates 10 hospitals and more than 250 outpatient facilities. The FBI is investigating. [eWeek] [The Hill] [Reuters]

Horror Stories

US – Verizon Customer Data Breach

Verizon has acknowledged that a breach of its Verizon Enterprise Solutions unit compromised customer data. Verizon Enterprise Solutions helps companies respond to data breaches. Last week, a post on an underground cybercrime forum offered 1.5 million Verizon Enterprise Solutions customer records for sale. Verizon says the compromised data are “basic contact information [of] enterprise customers.” [Krebs] [eWeek]

US – University of Central Florida Spends $110,000 After Computer Hack

A computer hack affecting the personal information of 63,000 people at the University of Central Florida resulted in a nearly $110,000 invoice for the month of February. The costs include $64,000 to operate the call center where students and staff could learn if their information was compromised, and another $45,000 to print and mail packets warning people of the hack. UCF says their cybersecurity insurance, which comes from an outside company, covered the costs. While UCF has worked to help the victims, the university still faces lawsuits in the aftermath of the data breach. [WFTV 9]

Identity Issues

CA – Ottawa Man Claims Identity Stolen Using Canada Post Website

Mike Wood says someone stole his identity and changed his mailing address using Canada Post’s website. When he called Canada Post, he was told his mail was being forwarded to another address, after someone paid $117 to make the change online. Wood said the postal service official wouldn’t tell him where his mail was ending up, and that police told him they couldn’t help without that information. Wood said Canada Post told him whoever apparently stole his identity would have had to answer multiple security questions. He’s not sure how that’s possible. He added that a Canada Post representative also told him that tax season is a common time for identity theft, because tax forms include social insurance numbers. Canada Post wouldn’t comment about the case, beyond confirming that they are investigating. [CTV News[

Internet / WWW

US – Hogan Lovells Issues Legal Analysis of the EU-U.S. Privacy Shield

Law firm Hogan Lovells has released a 60-plus-page “Legal Analysis of the EU-U.S. Privacy Shield,” whereby the report’s authors assess the likelihood the Shield will withstand legal challenge by referencing jurisprudence of the Court of Justice of the European Union. Their conclusion? “[T]he Privacy Shield Framework provides an ‘essentially equivalent’ level of protection for personal data transferred from the EU to the U.S.” The assembled lawyers, on both sides of the Atlantic, set up “detailed and complex criteria” for assessing the Shield, and “in every instance, we have concluded that each criterion is met.” [HLDA] See also: [Why the cloud makes the EU-US Privacy Shield meaningless  ]

Law Enforcement

CA – Town of Banff Considers RCMP Traffic Camera Use

Banff RCMP want to use the Town of Banff’s downtown traffic cameras to help them solve crimes and nab crooks. At a council meeting last week, council considered a proposal from Banff RCMP to use the traffic cameras to help them solve crimes, but issues of personal privacy first need to be addressed. Town council unanimously directed administration to return with a report considering the Freedom of Information and Protection of Privacy Act (FOIP) implications of using the traffic cameras to help solve crimes. “Banff has a very low crime rate and we live in a very safe community,” said Councillor Karlos Stavros, who voiced support for the move. “We’re not talking about active surveillance at all. It’s about the ability to provide evidence for cases.” The Town of Banff’s traffic cameras, set up at various intersections in the downtown core, are currently used only to capture traffic data to help monitor traffic flow and overall traffic management. One of the camera types takes a still photo every minute and also has potential to take video. Currently, no personal information such as licence plate numbers or car occupant faces is recorded. Banff RCMP wants to expand the purpose of the traffic camera systems, not for ongoing surveillance, but as an investigative tool. [Source]

Online Privacy

EU – France Fines Google Over ‘Right To Be Forgotten’

The French data protection authority said it has fined Google €100,000 for not scrubbing web search results widely enough in response to a European privacy ruling. The only way for Google to uphold the Europeans’ right to privacy was by delisting inaccurate results popping up under name searches across all its websites, the Commission Nationale de l’Informatique et des Libertes (CNIL) said in a statement. [Reuters] [CNIL – Deliberation No. 2016-054 – Google Inc] [Press Release]

Other Jurisdictions

WW – MSFT Creates Special Chinese Government Version of Windows 10

Microsoft is now ready to roll with a version of Windows 10 designed specifically for the Chinese government, it has emerged. Back in December, Microsoft and China Electronics Technology Group Corp  announced they were setting up a Beijing-based joint partnership called C&M Information Technologies. The new organization will develop a specific build of Windows 10 for Middle Kingdom mandarins. This version will be “a government-approved Windows 10 image, including Chinese capabilities such as government selected antivirus software,” and be made available to “state-owned enterprise customers” including “government and critical infrastructure.” C&M “will provide product activation, patch management, deployment services and product support, as needed, to these government customers.” It will also “collect feedback from these government customers on their specific use requirements to inform the creation of the successive updates of the government Windows 10 image, which may be developed by the joint organization.” Presumably this feedback won’t include all the data Windows 10 routinely sends back to Redmond; this telemetry will likely be curtailed seeing as it’s an enterprise-friendly build. [The Register] See also: [US Navy paid millions to stay on Windows XP]

Privacy (US)

US – FCC Votes To Propose New Privacy Rules for ISPs

FCC Chairman Tom Wheeler moved yet another of his controversial proposals forward last week. The commission voted on party lines, 3-2, to advance a proposed rule imposing strong privacy regulations on ISPs. Wheeler wants to improve how ISPs treat individuals’ privacy when the market makes customer data immensely valuable. That data can give providers and analysts a perfect picture of the details making up a person’s everyday life, and the commission’s majority thinks that’s intrusive. The proposed rule would obligate companies to tell their customers what information they collect, how and if they share it with third parties, and how customers can change those privacy preferences. The proposal also would allow ISPs to use consumer data to sell other communications services or share it with outside marketers in that field. But it would allow customers to opt out of those practices. This is only the beginning. Before officials begin drafting final rules, they’ll need to wait for comments from industry members, think tanks and the general public. It’s a controversial idea. Republicans on the commission, GOP lawmakers in the House, and even members of the broadband industry have all pushed back on the proposed rule. The Republican commissioners were vocal about their dissent. The FTC already regulates privacy. [Source] [FCC OKs Proposed Privacy Rules With a Lot of Pushback] [How The FCC’s Proposed Privacy Rules Would Create A False Sense Of Consumer Privacy] [FCC Sparks Turf Wars As It Raises Washington Profile] [EPIC Urges FCC to Broaden Scope, Substance of Draft Privacy Rules]

US – FTC to Host Fall Seminar Series on Emerging Consumer Technology Issues

The FTC will host a series of seminars this fall to examine three new and evolving technologies that are raising critical consumer protection issues. The FTC Fall Technology Series comprises three half-day events that will explore ransomware, drones, and smart TV. In 2014, the Commission held a series of seminars examining the privacy implications of mobile device tracking, consumer generated health data, and alternative scoring techniques. [Drone bazooka is here]

FTC Fall Technology Series: Ransomware – 9 a.m. to noon, September 7, 2016

FTC Fall Technology Series: Drones – 9 a.m. to noon, October 13, 2016

FTC Fall Technology Series: Smart TV – 9 a.m. to noon, December 7, 2016


US – US Federal Agencies and Ransomware

29 US federal government agencies have reported a total of 321 ransomware incidents since June 2015, according to the Department of Homeland Security (DHS). Not all of the incidents resulted in infections, and no incidents resulted in payment of ransom. Last December, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware), chairman and ranking member of the Senate Homeland Security and Government Affairs Committee, requested information about agencies’ efforts to protect systems from ransomware. Carper has posted the responses to his website. [FCW] [The Hill] [NextGov] [Results on Senator Carper’s Website] [ComputerWorld: Ransomware Uses Windows PowerShell] [CarbonBlack] [Petya Ransomware Encrypt Master File Table]

US – FBI Seeking Help with Ransomware Investigation

Reuters obtained a copy of a confidential “Flash” advisory, dated March 25, 2016, in which FBI asked companies and security experts for help in its investigation of ransomware known as MSIL/Samas.A. This particular malware tries to encrypt data on an entire network rather than encrypting data on an individual computer. [Reuters] [With regards to Ransomware The Computer Incident Response Center Luxembourg (CIRCL) have released an excellent guide on “Proactive defenses and incident response“] In the wake of a number of high-profile attacks against hospitals, [legislators are moving to update cybersecurity laws to include protection against ransomware threats] [Ransomware not covered by e-health record laws]

US – Three More US Hospitals Infected with Ransomware

Three more US hospitals have disclosed that their systems were hit with ransomware. Methodist Hospital in Henderson, Kentucky information systems director Jaime Reid said the cause of the “Internal State of Emergency” at the hospital was Locky ransomware. Chino Valley Medical Center and Desert Valley Hospital in California were also struck with ransomware; both were operating normally by Wednesday, March 23. [Krebs] [BBC] [ArsTechnica] [NBCNews] See also: [Is Ransomware Considered A Health Data Breach Under HIPAA?]

US – Medical Dispensing Systems Have Remotely Exploitable Flaws

More than 1,400 remotely exploitable vulnerabilities were found in CareFusion’s Pyxis SupplyStation medical dispensing systems. More than half of the flaws found were given a severity rating of high or critical. The issues affect Pyxis SupplyStation versions 8.0, 8.1.3, 9.0, 9.1, 9.2, and 9.3 on Windows Server 2003/Windows XP. Version 9.3, 9.4, and 10.0 running on Windows Server 2008/Windows Server 2012/Windows 7 are not affected. The US Department of Homeland Security’s (DHS’s) Industrial Control System CERT has issued an advisory. [The Register] [SCMagazine] [ComputerWorld] [ICS-CERT Advisory]

US – Investigation Finds Security Gaps in State Department Visa Database

Security gaps discovered in a State Department system could allow hackers to doctor visa applications, or steal sensitive data. Several months ago, the State Department conducted an internal review learning its Consular Consolidated Database, the government’s “backbone” for vetting travels, was in danger of being compromised. The CCD, one of the largest biometric databases in the world, holds the personal information of nearly anyone who applied for a passport. A cyberattack could compromise sensitive information, including photographs, fingerprints and Social Security numbers, making it valuable for hackers looking to steal identities. Hackers could also alter records approving visa applications for individuals linked to terrorism who would normally be rejected. The State Department says it has addressed these concerns, and any vulnerabilities would be difficult to exploit. [ABC News]

CA – Keystroke Loggers Found at Concordia University

Keystroke logging devices were found on several workstations in the Webster and Vanier libraries at Concordia University in Montreal, Quebec. School officials have notified local authorities. [SC Magazine] [University Notice]

WW – Macro Blocking Now Available in Office 2016

Microsoft has added a feature to Office 2016 that allows enterprise administrators to block macros from executing. The feature can be configured for each application and is controlled through Group Policy. It can be used to disable macros in documents that come from the Internet zone. [The Register] [ComputerWorld] [MSFT Blog]


CA – Civil-Rights Group Appeals on Police Use of Cellphone Surveillance

Pivot Legal Society, a British Columbia-based legal-advocacy organization, filed an appeal with the province’s privacy commissioner after Vancouver police refused to disclose documents related to whether they use an invasive technology known as Stingray. …Wednesday was the deadline for interveners to file submissions on Pivot Legal’s appeal. Groups such as the B.C. Civil Liberties Association and OpenMedia argue that police are “stonewalling” attempts by the public to know the extent of the device’s use, which is putting Canadians’ constitutional rights at risk and preventing law enforcement from being held accountable. [Globe & Mail] [B.C.’s privacy commissioner launches inquiry into phone-monitoring device] [Canadian Cops Won’t Say if They Use ‘Stingray’ Mass Surveillance Devices] [Guilty pleas end risk of revealing RCMP surveillance technology]

CA – OIPC AB Finds Condominium Used Surveillance PI for Contrary Purposes

The Alberta OIPC investigated the Grandin Manor Ltd., a condominium corporation, for alleged violations of the Personal Information Protection Act. Unit owners of the condominium provided deemed consent for the collection and use of their personal information by the surveillance system because a majority of owners voted to implement the system and there is proper signage about the use of the cameras; however, personal information from the system was retrieved and used to send a warning letter to an individual for conduct unrelated to maintenance of building security. [OIPC AB – Order P2016-02 – Grandin Manor Ltd]

WW – Surveillance Silences Minority Opinions: Study

A new study published in Journalism and Mass Communication Quarterly found that those who felt their opinions on mass surveillance were in the minority were less likely to express them. The questionnaire exposed some to subtle reminders of government surveillance and others not. Once the idea of government surveillance is introduced, researcher Elizabeth Stoycheff found, participants — even those who indicated they support government surveillance for national security — were less likely to speak out about nonconformist ideas. [Washington Post]

US Government Programs

US – EPIC Scrutinizes DHS “Insider Threat” Database

In comments to the Department of Homeland Security, EPIC criticized a proposed “Insider Threat” database that would gather vast amounts of personal data on a wide variety of individuals outside the federal agency. The database would include information from the Standard Form 86, which is a 127-page questionnaire for national security positions. The form includes SSN, passport and driver license number, and medical reports among other sensitive data. The DHS database will cover broad categories of individuals, including persons who are not under investigation. The database will contain records not only on current and former DHS employees and contractors, but also on family members, dependents, relatives, and personal associates of individuals who are under investigation. EPIC urged DHS to narrow the scope of individuals included in the database and limit the amount of data collected. EPIC also urged DHS to significantly narrow the Privacy Act exemptions for its database and withdraw unnecessary proposed routine use disclosures. The Privacy Act exemptions DHS has proposed would allow the agency to ignore complying with a number of Privacy Act safeguards, including requirements to maintain accurate records and to limit collection to only that information necessary for the detection and prevention of insider threats. Moreover, DHS’s proposed routine uses would allow the agency to disclose database records to numerous entities for purposes unrelated to addressing “insider threats,” including hiring decisions and DHS public relations. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DHS data practices pose a risk to federal employees. EPIC has previously advocated for privacy protections in background checks and consistently warned against inaccurate, insecure, and overbroad government databases. s

US Legislation

US – Senate Passes FOIA Reform Bill

The Senate passed by unanimous consent the Freedom of Information Improvement Act of 2015. The bill, cosponsored by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), requires federal agencies to operate under a “presumption of openness,” and places time limits on the FOIA’s Exemption 5. Exemption 5 is most commonly invoked to protect the “deliberative process privilege” of inter- and intra-agency memoranda. The FOIA currently places no time limit on the exemption. The bill also seeks to strengthen the Office of Government Information Services (OGIS) and require new reporting on the use of exemptions and audits of agency FOIA processes. In promoting the legislation, Senator Leahy said the bill “will help open the government to the 300 million Americans it serves and ensure that future administrations place an emphasis on openness and transparency.” The House passed a similar bill in January 2016. Differences between the two versions must now be reconciled before President Obama can sign the bill into law. EPIC and a coalition of open government advocates previously urged the President to support the bipartisan legislation, pressing the President to honor his commitment to an “unprecedented level of openness” in his administration by pushing Congress to update the FOIA. The coalition identified six core ways the FOIA should be updated: (1) codify a presumption of disclosure; (2) require agencies seeking to withhold information to show foreseeable harm; (3) require agencies to weigh the public interest when withholding under Exemption 5; (4) exclude from Exemption 5 records older than 25 years; (5) waive fees when agencies miss statutory deadlines; and (6) expand the role of OGIS.